Download Brocade Communications Systems 8/80 Technical data

53-1002334-01
30 May 2012
ServerIron Traffic Works
Switching and Routing Guide
Supporting ServerIron TrafficWorks version 10.2.02
®
Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved.
Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and
AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of
Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names
mentioned may be trademarks of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning
any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to
this document at any time, without notice, and assumes no responsibility for its use. This informational document describes
features that may not be currently available. Contact a Brocade sales office for information on feature and product availability.
Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with
respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that
accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other
open source license agreements. To find out which open source software is included in Brocade products, view the licensing
terms applicable to the open source software, and obtain a copy of the programming source code, please visit
http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters
Brocade Communications Systems, Inc.
130 Holger Way
San Jose, CA 95134
Tel: 1-408-333-8000
Fax: 1-408-333-8101
E-mail: [email protected]
Asia-Pacific Headquarters
Brocade Communications Systems China HK, Ltd.
No. 1 Guanghua Road
Chao Yang District
Units 2718 and 2818
Beijing 100020, China
Tel: +8610 6588 8888
Fax: +8610 6588 9999
E-mail: [email protected]
European Headquarters
Brocade Communications Switzerland Sàrl
Centre Swissair
Tour B - 4ème étage
29, Route de l'Aéroport
Case Postale 105
CH-1215 Genève 15
Switzerland
Tel: +41 22 799 5640
Fax: +41 22 799 5641
E-mail: [email protected]
Asia-Pacific Headquarters
Brocade Communications Systems Co., Ltd. (Shenzhen WFOE)
Citic Plaza
No. 233 Tian He Road North
Unit 1308 – 13th Floor
Guangzhou, China
Tel: +8620 3891 2000
Fax: +8620 3891 2111
E-mail: [email protected]
Contents
CHAPTER 1
ABOUT THIS GUIDE ..................................................................................... 1-1
AUDIENCE ..................................................................................................................................................1-1
CONVENTIONS ............................................................................................................................................1-1
RELATED DOCUMENTATION .........................................................................................................................1-1
GETTING TECHNICAL HELP ..........................................................................................................................1-2
DOCUMENT FEEDBACK ................................................................................................................................1-2
CHAPTER 2
SWITCHING AND ROUTING ........................................................................... 2-1
MAC SWITCHING ........................................................................................................................................2-1
STATIC MAC ENTRIES .........................................................................................................................2-2
DISPLAYING MAC ADDRESSES .............................................................................................................2-2
DISPLAYING MAC ADDRESS STATISTICS ...............................................................................................2-3
STP ...........................................................................................................................................................2-3
CONFIGURING FAST PORT SPAN ...........................................................................................................2-3
CONFIGURING FAST UPLINK SPAN ........................................................................................................2-3
MODIFYING SPANNING TREE PARAMETERS ...........................................................................................2-4
DISPLAYING SPANNING TREE STATISTICS ..............................................................................................2-5
IRONSPAN STP ENHANCEMENTS ..........................................................................................................2-6
TRUNK GROUPS .........................................................................................................................................2-6
802.3AD LINK AGGREGATION ...............................................................................................................2-6
VLANS ......................................................................................................................................................2-6
PORT-BASED VLANS ...........................................................................................................................2-6
CHANGING THE TAG TYPE ....................................................................................................................2-7
ENABLING AGGREGATED VLAN ............................................................................................................2-7
CHANGING THE ID OF THE DEFAULT VLAN ...........................................................................................2-7
ALLOWING TFTP ACCESS ONLY TO CLIENTS IN A SPECIFIC VLAN ........................................................2-7
DISABLING OR RE-ENABLING DYNAMIC DISCOVERY OF PROTOCOL VLANS ............................................2-8
SETTING THE MAXIMUM NUMBER OF VLANS .........................................................................................2-8
May 2012
© 2012 Brocade Communications Systems, Inc.
iii
ServerIron Switching and Routing Guide
ASSIGNING TAGGED OR UNTAGGED PORTS TO A PORT-BASED VLAN ...................................................2-8
CONFIGURING UPLINK PORTS ...............................................................................................................2-8
SETTING A PRIORITY FOR A VLAN ........................................................................................................2-9
CONFIGURING AN APPLETALK PROTOCOL VLAN ...................................................................................2-9
CONFIGURING A DECNET PROTOCOL VLAN ..........................................................................................2-9
CONFIGURING AN IP PROTOCOL VLAN ...............................................................................................2-10
CONFIGURING AN IP SUBNET PROTOCOL VLAN ..................................................................................2-10
CONFIGURING AN IPX NETWORK VLAN ..............................................................................................2-10
CONFIGURING AN IPX PROTOCOL VLAN ............................................................................................2-11
CONFIGURING A NETBIOS PROTOCOL VLAN .....................................................................................2-11
CONFIGURING ANOTHER PROTOCOL VLAN .........................................................................................2-12
DUAL-MODE VLAN PORTS .................................................................................................................2-12
MAC FILTERS ..........................................................................................................................................2-14
CONFIGURING FILTERS FOR LAYER 2 FILTERING .................................................................................2-14
ADDITIONAL EXAMPLES OF LAYER 2 MAC FILTER DEFINITIONS ..................................................... 2-16
ABBREVIATING THE ADDRESS OR MASK ........................................................................................ 2-16
SETTING THE MAC AGE TIME .............................................................................................................2-16
ENABLING LOGGING OF PACKETS DENIED BY LAYER 2 MAC FILTERS ..................................................2-17
ADDRESS-LOCK FILTERS ..........................................................................................................................2-17
CONFIGURING A BROADCAST FILTER .........................................................................................................2-17
SETTING THE BROADCAST LIMIT ................................................................................................................2-18
ASSIGNING A GATEWAY LIST .....................................................................................................................2-18
MULTICAST ...............................................................................................................................................2-19
ENABLING IP MULTICAST TRAFFIC REDUCTION ....................................................................................2-19
CONFIGURING A MULTICAST FILTER ....................................................................................................2-19
SETTING THE MULTICAST LIMIT ...........................................................................................................2-20
DISABLING IGMP QUERIES .................................................................................................................2-20
ADDING AN IP INTERFACE .........................................................................................................................2-20
ADDING A STATIC IP ROUTE .....................................................................................................................2-22
ADDING A STATIC ARP ENTRY ..................................................................................................................2-22
CLEARING THE ARP CACHE ......................................................................................................................2-23
CLEARING THE IP CACHE ..........................................................................................................................2-23
CLEARING THE MAC ADDRESS TABLE .......................................................................................................2-23
SETTING SYSTEM MAX .............................................................................................................................2-23
ADDING A STATIC MAC ADDRESS .............................................................................................................2-24
DISPLAYING IP FORWARDING INFORMATION ...............................................................................................2-25
DISPLAYING IP FORWARDING STATE INFORMATION .............................................................................2-25
DISPLAYING THE IP HOST TABLE ........................................................................................................2-26
DISPLAYING THE ARP CACHE OR THE STATIC ARP TABLE ..................................................................2-26
DISPLAYING STATIC ARP ENTRIES .....................................................................................................2-28
DISPLAYING A LIST OF IP INTERFACES ................................................................................................2-28
DISPLAYING THE IP ROUTE TABLE ......................................................................................................2-29
DISPLAYING IP FORWARDING TRAFFIC STATISTICS ..............................................................................2-30
CLEARING IP TRAFFIC STATISTICS ......................................................................................................2-31
IP INTERFACES AND MULTINETTING ...........................................................................................................2-31
THE SOURCE-NAT PARAMETER ..................................................................................................... 2-32
DISABLING LAYER 2 SWITCHING ................................................................................................................2-32
iv
© 2012 Brocade Communications Systems, Inc.
May 2012
CONFIGURING A DECNET PROTOCOL VLAN ..............................................................................................2-32
CONFIGURING AN IP INTERFACE ................................................................................................................2-32
CONFIGURING AN IP FILTER ......................................................................................................................2-33
SLB EXAMPLE ...................................................................................................................................2-34
TCS USES OF FILTERS ......................................................................................................................2-34
POLICY-BASED CACHE SWITCHING ............................................................................................... 2-35
SETTING THE TTL ....................................................................................................................................2-35
CONFIGURING AN IP PROTOCOL VLAN .....................................................................................................2-35
CONFIGURING AN IP SUBNET PROTOCOL VLAN ........................................................................................2-35
RIP ..........................................................................................................................................................2-36
ENABLING RIP ...................................................................................................................................2-36
RIP TIMERS ................................................................................................................................ 2-37
REDISTRIBUTING IP STATIC ROUTES INTO RIP ....................................................................................2-37
ENABLING REDISTRIBUTION ................................................................................................................2-38
DENYING REDISTRIBUTION ..................................................................................................................2-38
PERMITTING REDISTRIBUTION .............................................................................................................2-39
LEARNING RIP DEFAULT ROUTES .......................................................................................................2-40
ENABLING POISON REVERSE OR SPLIT HORIZON .................................................................................2-40
OSPF ......................................................................................................................................................2-40
DYNAMIC LINK AGGREGATION ...................................................................................................................2-41
CONFIGURATION RULES .....................................................................................................................2-41
VALID AGGREGATE LINKS ...................................................................................................................2-42
FLEXIBLE TRUNK ELIGIBILITY ..............................................................................................................2-44
ENABLING LINK AGGREGATION ...........................................................................................................2-45
ENABLING LINK AGGREGATION AND USING THE DEFAULT KEY....................................................... 2-45
ASSIGNING A UNIQUE KEY AND ENABLING LINK AGGREGATION ..................................................... 2-46
CONFIGURING KEYS FOR PORTS WITH LINK AGGREGATION ENABLED ............................................ 2-46
LINK AGGREGATION PARAMETERS ......................................................................................................2-47
SYSTEM PRIORITY ....................................................................................................................... 2-47
PORT PRIORITY ........................................................................................................................... 2-47
LINK TYPE ................................................................................................................................... 2-47
KEY ............................................................................................................................................ 2-47
ABOUT BLOCKED PORTS .............................................................................................................. 2-49
DISPLAYING AND DETERMINING THE STATUS OF AGGREGATE LINKS .....................................................2-50
CLEARING THE NEGOTIATED LINK AGGREGATIONS ..............................................................................2-52
May 2012
© 2012 Brocade Communications Systems, Inc.
v
ServerIron Switching and Routing Guide
vi
© 2012 Brocade Communications Systems, Inc.
May 2012
Chapter 1
About this Guide
This guide describes the switching and routing features of the Brocade® ServerIron devices.
Audience
This guide is intended for network engineers with a basic knowledge of switching, routing, and application traffic
management.
Conventions
This guide uses the following typographical conventions to describe information:
Italic
Highlights the title of another publication or emphasizes a word or phrase.
Bold code
Indicates code that is entered exactly as shown.
Bold
Indicates a command or keyword that can be entered exactly as is.
NOTE: A note emphasizes an important fact or calls your attention to a dependency.
WARNING: A warning calls your attention to a possible hazard that can cause injury or death.
CAUTION:
A caution calls your attention to a possible hazard that can damage equipment.
Related Documentation
For more information, refer to the following Brocade Communications Systems ServerIron documentation:
•
Release Notes for ServerIron Switch and Router Software TrafficWorks 10.2.00 – provides a list of new
features and enhancements, upgrade procedures, and bug fixes.
•
ServerIron TrafficWorks Graphical User Interface – provides details on the graphical user interface for the
May 2012
© 2012 Brocade Communications Systems, Inc.
1-1
ServerIron Switching and Routing Guide
ServerIron family of application delivery controllers.
•
ServerIron TrafficWorks Server Load Balancing Guide – describes basic Server Load Balancing
configurations for the ServerIron product family. It covers the following features: Server Load Balancing,
Stateless Server Load Balancing, Health Checks, Layer 7 Content Switching, and High Availability
•
ServerIron TrafficWorks Advanced Server Load Balancing Guide – discusses Advanced Server Load
Balancing concepts for the ServerIron product family. It covers the following features: are SIP Server Load
Balancing, Transparent Cache Switching, IDS Server Load Balancing, HTTP Compression, and Total Content
Analysis
•
ServerIron TrafficWorks Global Server Load Balancing Guide – explains how one can achieve site level
redundancy and data center site failure protection using Global Server Load Balancing feature of ServerIron
•
ServerIron TrafficWorks Security Guide – describes Security features of ServerIron product family. It covers
the following features: are Secure Socket Layer (SSL) Acceleration, Web Application Firewall, Deep Packet
Scan, Access Control List, and Network Address Translation
•
ServerIron TrafficWorks Administration Guide – discusses different administrative configurations for the
ServerIron product family.
•
ServerIron TrafficWorks Switching and Routing Guide – describes switching and routing configurations on
the ServerIron product family
•
Brocade ServerIron Firewall Load Balancing Guide – provides detailed feature descriptions, procedures, and
application examples for Firewall Load Balancing.
•
Brocade ServerIron Chassis Hardware Installation Guide – provides the physical characteristics, power
consumption, and performance capabilities of the ServerIron chassis switch families, and explains how to set
up and install the switches and their modules.
•
Brocade Management Information Base Reference – presents the Simple Network Management Protocol
(SNMP) Management Information Base (MIB) objects that are supported on Brocade devices.
The latest version of these guides are posted at http://www.brocade.com/ethernetproducts.
If you find errors in the guides, send an e-mail to [email protected]
Getting technical help
To contact Technical Support, go to http://www.brocade.com/services-support/index.page for the latest e-mail and
telephone contact information.
Document feedback
Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of
this document. However, if you find an error or an omission, or you think that a topic needs further development,
we want to hear from you. Forward your feedback to:
[email protected]
Provide the title and version number of the document and as much detail as possible about your comment,
including the topic heading and page number and your suggestions for improvement.
1-2
© 2012 Brocade Communications Systems, Inc.
May 2012
Chapter 2
Switching and Routing
This chapter describes Layer 2 switching and routing for ServerIron devices. It contains the following sections:
•
“MAC switching” on page 2-1
•
“STP” on page 2-3
•
“Trunk Groups” on page 2-6
•
“VLANs” on page 2-6
•
“MAC Filters” on page 2-14
•
“Address-Lock Filters” on page 2-17
•
“Configuring a Broadcast Filter” on page 2-17
•
“Setting the Broadcast Limit” on page 2-18
•
“Assigning a Gateway List” on page 2-18
•
“Multicast” on page 2-19
MAC switching
All Brocade devices support MAC switching. MAC switching enables intelligent wire-speed bridging of Layer 2
packets. The first time a Brocade device receives a packet from a given MAC destination, the device makes an
entry in its Layer 2 cache. The entry consist of the packet’s source MAC address and the port on which the device
received the packet.
When the device receives a bridge packet destined for the cached address, the device does not need to send the
packet as a broadcast through all the ports within the broadcast domain. Instead, the device can intelligently send
the packet only through the port to which the destination device is connected. Thus, even though Layer 2 domains
are typically broadcast domains, MAC switching enhances performance in the domain by reducing the amount of
broadcast traffic in the domain.
In addition, Brocade routers that are enabled for MAC switching can switch traffic for route protocols that are not
supported in the routing software. If IPX routing is disabled on a router, the router can switch the IPX packets
instead.
To avoid accumulating stale cache entries, Brocade devices use an aging mechanism. The aging mechanism
removes a learned entry from the cache after the entry has remained unused for a specified interval (by default,
300 seconds). You can change or disable the aging interval.
May 2012
© 2012 Brocade Communications Systems, Inc.
2-1
ServerIron Switching and Routing Guide
By default, all ports in a Brocade device belong to a common Layer 2 broadcast domain, VLAN 1. You can
configure port-based VLANs (Virtual LANs) to create smaller broadcast domains that use subsets of the device’s
ports.
Static MAC Entries
MAC entries that the Brocade device learns and caches are subject to an aging time. After a cached entry
remains unused for the duration of the aging time, the software removes the entry from the Layer 2 cache. If you
want certain MAC addresses to always be present in the device’s Layer 2 address table, you can add them as
static entries.
A static MAC entry, like a cached (dynamic) MAC entry, maps a MAC address to the Brocade device’s port
attached to that device.
Unlike cached MAC entries, static MAC entries provide the following benefits:
•
You can assign a QoS priority to a static MAC entry.
•
You can specify VLAN membership for a static MAC entry.
•
A static entry prevents broadcast storms that can be caused when a server’s MAC entry is removed. For
example, if a server goes down long enough for the server’s entry to age out, the Brocade device sends
packets addressed to the server as broadcasts until the device relearns the cache entry for the server.
You can specify port priority (QoS) and VLAN membership (VLAN ID) for the MAC address. On switches, you also
can specify the device type (router or host) for the entry.
NOTE: On Brocade routers, you also can create static IP routes, ARP entries, and RARP entries. The
ServerIron and other Brocade switches support only static MAC addresses.
Displaying MAC Addresses
To display all MAC addresses on a ServerIron, enter the following:
ServerIron(config)# show mac-address
Total entries from all ports = 75
MAC
Port
Age CamF CIDX0 CIDX1 CIDX2 CIDX3 CIDX4 CIDX5
0000.0300.0000 10 17293 00H
0
0
0
0
0
0
0060.089f.8086
1
12 0bH
23
15
0
6
0
0
0060.9709.914b 16
2130 00H
0
0
0
0
0
0
00a0.249a.0163 16
130 00H
0
0
0
0
0
0
0060.979d.41a5 11
475 00H
0
0
0
0
0
0
00a0.24c5.01d1 11
0 0cH
0
0
20
14
0
0
0060.979d.41df 11
570 00H
0
0
0
0
0
0
0060.9759.4226 16
240 00H
0
0
0
0
0
0
0060.9759.4235 16
130 00H
0
0
0
0
0
0
0800.208f.725b
2
135 00H
0
0
0
0
0
0
0060.9759.4264 16
0 0aH
0
14
0
21
0
0
00a0.24c5.02a1 16
15 09H
5
0
0
33
0
0
0000.c02c.a2bf
7
11 03H
27
5
0
0
0
0
00a0.24c5.02f8
4
135 00H
0
0
0
0
0
0
00a0.24c5.02fc
6
0 06H
0
8
31
0
0
0
0800.207e.c312
2
2 0dH
25
0
24
13
0
0
0800.208f.5331
2
135 00H
0
0
0
0
0
0
00e0.5200.0385 10
5160 00H
0
0
0
0
0
0
--More--, next page: Space/Return key, quit: Control-c
2-2
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
NOTE: The information displayed in columns with headings CamF, and CIDX0 through CIDX5, is not relevant for
day-to-day management of the ServerIron. The information is used by engineering and technical support staff for
debug purposes.
Syntax: show mac-address [ethernet <portnum> | <mac-addr> | session]
The session keyword causes information about MAC session entries to be displayed.
Displaying MAC Address Statistics
To display the total number of MAC addresses currently active on a ServerIron, enter the following command:
ServerIron(config)# show mac-address-statistics
Total entries = 41
Port
1
2
3
4
5
6
7
8
0
6
11
1
1
1
2
1
Port
10
11
12
13
14
15
16
0
3
1
3
1
1
8
9
1
For each port, the number of learned MAC addresses is displayed.
Syntax: show mac-address-statistics
This command serves as a numerical summary of the detailed summary provided by the command show macaddresses.
STP
The Spanning Tree Protocol (STP) detects and eliminates logical loops in a Layer 2 broadcast domain. STP is
described in the IEEE 802.1d bridge protocols standard and ensures the device uses the most efficient path when
multiple paths exist between ports. If a selected path fails, STP searches for and then establishes an alternate
path to prevent or limit retransmission of data.
For ServerIron devices, STP is disabled by default on Router (R) code images but enabled by default on the
Switch (S) code images.
Configuring Fast Port Span
The Fast Port Span feature allows faster STP convergence on ports that are attached to end stations. To configure
this feature, enter the following command:
ServerIron(config)#fast port-span
To exclude a port from Fast Port Span, while leaving Fast Port Span enabled globally, enter the following
command:
ServerIron(config)#fast port-span exclude ethernet 1
Syntax: [no] fast port-span [exclude ethernet <portnum> [ethernet <portnum>… | to <portnum>]
Configuring Fast Uplink Span
The Fast Uplink Span feature reduces the convergence time for uplink ports to another device to just four seconds
(two seconds for listening and two seconds for learning). To configure this feature, enter the following command:
ServerIron(config)# fast uplink-span ethernet 1 to 4
Syntax: [no] fast uplink-span [ethernet <portnum> [ethernet <portnum>… | to <portnum>]
May 2012
© 2012 Brocade Communications Systems, Inc.
2-3
ServerIron Switching and Routing Guide
Replace the <portnum> with a port that has redundant uplinks on a wiring closet switch.
Modifying Spanning Tree Parameters
Spanning Tree bridge and port parameters are configurable using the spanning-tree command. When no portbased VLANs are active on the system, spanning tree parameters are set at the Global CONFIG Level.
When port-based VLANs are active on the system, spanning tree protocol bridge and port parameters can be
configured globally at the VLAN Level. Additionally, you can disable or enable STP on an interface basis.
NOTE: If VLANs are active on a switch or router, spanning-tree will not be seen as an option at the Global
CONFIG Level of the CLI but will be an option of the VLAN Level.
All bridge and port parameters have default values and do not need to be modified unless required to match
network needs. Additionally, all values will be globally applied to the switch or router. By default this feature is
enabled on switches and disabled on routers.
You can modify the following STP Parameters:
1.
Modify bridge parameters—forward delay, maximum age, hello time and priority
2.
Modify port parameters—priority and path cost
Suppose you want to enable spanning tree on a system in which no port-based VLANs are active and change the
hello-time from the default value of 2 to 8 seconds. Additionally, suppose you want to change the path and priority
costs for port 5 only. To do so, enter the following commands.
ServerIron(config)#span hello-time 8
ServerIron(config)#span ethernet 5 path-cost 15 priority 64
To disable spanning tree on physical port 4 of a system with no VLANs operating:
ServerIron(config)#interface ethernet 4
ServerIron(config-if-4)no spanning-tree
Syntax: [no] spanning-tree [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value> hellotime <value> maximum-age <time> priority <value>
Bridge Parameters:
•
forward-delay: Possible values: 4 – 30 seconds. Default is 15 seconds.
•
max-age: Possible values: 6 – 40 seconds. Default is 20 seconds.
•
hello-time: Possible values: 1 – 10 seconds. Default is 2 seconds.
•
priority: Possible values: 1 – 65,535. Default is 32,768. A higher numerical value means a lower priority; thus,
the highest priority is 0.
Port Parameters:
2-4
•
path: Possible values: 1-65,535. Default: Auto
•
The default value ‘Auto’ means that the port will adjust the default value automatically based on the port
speed. The default value is based on the following formula: Half-duplex ports: 1000/port speed; Full-duplex
ports: (1000/port speed)/2
•
Priority: possible values are 0-255. Default is 128. A higher numerical value means a lower priority; thus, the
highest priority is 0.
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Displaying Spanning Tree Statistics
To display spanning tree statistics, enter the following command:
ServerIron#show span ?
DECIMAL
Number of spanning tree entries to skip before display begins
detail
Show more details of STP information on each port
pvst-mode
PVST status
vlan
Show spanning tree of a VLAN
|
Output modifiers
<cr>
ServerIron#show span
VLAN 1 BPDU cam_index is 2061 and the DMA master Are(HEX) 4
STP instance owned by VLAN 1
Global STP (IEEE 802.1D) Parameters:
VLAN Root
ID
ID
Root Root Prio
Cost Port rity
Hex
1 8000000cdb2bad20 0
Root 8000
Max
Age
sec
20
Hello
sec
2
Hold
sec
1
Fwd
dly
sec
15
Last
Chang
sec
1456133
Chg
cnt
Bridge
Address
0
000cdb2bad20
Port STP Parameters:
Port
Num
2/1
2/2
2/3
2/4
2/5
2/6
2/7
2/8
2/9
2/10
2/11
2/12
2/13
2/14
2/15
2/16
2/17
2/18
2/19
2/20
2/21
2/22
2/23
2/24
May 2012
Prio
rity
Hex
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
Path
Cost
State
Fwd
Trans
Design
Cost
Designated
Root
Designated
Bridge
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
© 2012 Brocade Communications Systems, Inc.
2-5
ServerIron Switching and Routing Guide
IronSpan STP Enhancements
IronSpan is a set of Layer 2 features that extend the operation of standard STP. IronSpan enables you to fine tune
standard STP and avoid some of its limitations. IronSpan includes the following features:
•
Fast Port Span – By default, devices running Fast Port Span perform Spanning Tree Protocol (STP)
convergence in four seconds instead of 30 or more seconds for certain ports connected to end stations.
•
Fast Uplink Span – Enhances STP by allowing a Brocade device with redundant uplinks to quickly resume
forwarding, in just four seconds. This feature is similar to Fast Port Span but applies to certain inter-switch
links on Brocade devices, instead of Brocade links to end stations.
Trunk Groups
A trunk group is a set of ports that provide a high speed link between two Brocade devices or between a Brocade
device and a server. A trunk group can consist of up to four ServerIron physical ports and provides the bandwidth
of those ports combined. Thus, a trunk group containing four 1 Gbps ports can provide up to four Gbps of bidirectional traffic. See the trunk server global command.
In addition to enabling load sharing of traffic, trunk groups provide redundant, alternate paths for traffic. Thus, if a
link in a trunk group fails, the device still uses the other links in the trunk group.
With Release 7.1.01 and later, you can configure up to 12 trunks per 24 ports.
802.3ad Link Aggregation
802.3ad is a standards-based approach for aggregating several switch ports. With Release 09.5.02a, the
ServerIron now supports standards-based 802.3ad LACP link aggregation. This feature allows you to connect the
ServerIron to devices from other vendors through port-aggregated channels.
VLANs
By default, all ports and interfaces running a Switch (S) image are kept in VLAN 1, which is named
DEFAULT VLAN:
!
vlan 1 name DEFAULT-VLAN by port
!
Use show vlan to display interesting information:
ServerIron#show vlan
Total PORT-VLAN entries: 1
Maximum PORT-VLAN entries: 32
legend: [S=Slot]
PORT-VLAN
Untagged
Untagged
Tagged
Uplink
1, Name DEFAULT-VLAN, Priority level0, Spanning tree On
Ports: (S2) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Ports: (S2) 17 18 19 20 21 22 23 24
Ports: None
Ports: None
Port-Based VLANs
By default, all ports in a Brocade device belong to a common Layer 2 broadcast domain. When the device sends
a broadcast packet, the packet goes out all active ports. A port-based Virtual LAN (VLAN) is a subset of ports on
a Brocade device that constitutes a Layer 2 broadcast domain.
2-6
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Port-based VLANs can reduce the likelihood and severity of broadcast storms by reducing the number of ports
affected by a storm. In addition, for devices such as servers that can cause broadcast storms, you can add static
MAC entries for the devices and assign the static entries to a VLAN.
Each port-based VLAN maintains a separate spanning tree. (See “STP” on page 2-3.)
Changing the Tag Type
Tag type is the value that will be sent out on a packet to indicate it as tagged VLAN port. The 802.1q standard
recognizes the value of 8100 for this purpose. Other values can be assigned to this parameter but are not
recommended.
Brocade switches support 802.1q VLAN tagging. VLAN tagging is a method of identifying a packet as a member
of a VLAN. VLAN tagging enables you to configure ports on multiple switches into a single VLAN. Using tagged
VLANs can ease network management and ensures interoperability with other devices.
When a switch sends a packet that is a member of a tagged VLAN, the switch "tags" the packet to indicate its
VLAN membership. Other switches that support VLAN tagging recognize the tag and process the packet
according to its VLAN membership.
ServerIron(config)#tag-type 8100
Syntax: [no] tag-type <value>
The default <value> is 8100.
Enabling Aggregated VLAN
A larger Ethernet frame size for VLAN aggregation changes the maximum Ethernet size to 1530 bytes.
To enable a larger Ethernet frame size for VLAN aggregation, enter the following command:
ServerIron(config)# aggregated-vlan
Syntax: [no] aggregated-vlan
Use this command when you are configuring Super Aggregated VLANs.
Changing the ID of the Default VLAN
Before you change the VLAN ID for the default VLAN, ensure that the ID is not already in use. For example, if you
have already defined VLAN 10, do not try to use "10" as the new VLAN ID for the default VLAN. Valid VLAN IDs
are numbers .
When you enable port-based VLAN operation, all ports are assigned to VLAN 1 by default. As you create
additional VLANs and assign ports to them, the ports are removed from the default VLAN. All ports that you do
not assign to other VLANs remain members of default VLAN 1. This behavior ensures that all ports are always
members of at least one VLAN.
NOTE: Changing the default VLAN name does not change the properties of the default VLAN. Changing the
name allows you to use the VLAN ID "1" as a configurable VLAN.
ServerIron(config)#default-vlan-id 1001
Syntax: [no] default-vlan-id <value>
The <value> is from 1 – 4095. The default is 1.
Allowing TFTP Access Only to Clients in a Specific VLAN
You can allow TFTP access only to clients in a specific VLAN. The following example configures the device to
allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that
are not in VLAN 40 are denied access.
ServerIron(config)#tftp client enable vlan 40
May 2012
© 2012 Brocade Communications Systems, Inc.
2-7
ServerIron Switching and Routing Guide
Syntax: [no] tftp client enable vlan <vlan-id>
Disabling or Re-enabling Dynamic Discovery of Protocol
VLANs
Dynamic discovery of protocol VLANs on switch-to-switch links enables switch-to-switch links to be automatically
included in protocol VLANs that have dynamic port membership.
By default, the command is enabled. To disable dynamic discovery of protocol VLANs on switch-to-switch links,
enter the following command:
ServerIron(config)#no vlan-dynamic-discovery
Syntax: [no] vlan-dynamic-discovery
Setting the Maximum Number of VLANs
You can adjust the maximum number of VLANs that are supported on a ServerIron using the following command:
ServerIron(config)# vlan max-vlan 128
Syntax: [no] vlan max-vlan <value>
The <value> variable can be set to a number in the following range: 1 – 4095. The default is 32.
Defining a large number of VLANs on a ServerIron reduces the number of VIPs possible because the system
creates internal MAC addresses for VIPs. Creating a large number of VLANs can cause you to reach the
maximum available MAC limit.
NOTE: Changing the maximum VLAN values using this command requires a system reload.
Assigning Tagged or Untagged Ports to a Port-Based VLAN
Once a port-based VLAN is created, port membership for that VLAN must be defined. To assign a port to a portbased VLAN, either the tagged or untagged command is used. When a port is tagged, it can be a member of
multiple port-based VLANs.
When a port is tagged, it allows communication among the different VLANs to which it is assigned. A common
use for this might be to place an email server that multiple groups may need access to on a tagged port, that in
turn, is resident in all VLANs that members need access to the server.
Suppose you want to make port 5 (module 5), a member of port-based VLAN 4, a tagged port. Enter commands
such as the following:
ServerIron(config)#vlan 4
ServerIron(config-vlan-4)#tagged ethernet 3/5
To assign all ports on a 16-port ServerIron except port 5 (module 3) as untagged to a VLAN, assign ports 1-4 and
6-16 to VLAN 4, enter commands such as the following:
ServerIron(config)#vlan 4
ServerIron(config-vlan-4)#untagged ethernet 3/1 to 3/4 e 3/6 to 3/16
Syntax: [no] tagged ethernet <portnum> [to <portnum> [ethernet <portnum>]]
Syntax: [no] untagged ethernet <portnum> [to <portnum> ethernet <portnum>]
Configuring Uplink Ports
When you configure a set of ports within a port-based VLAN as uplink ports for the VLAN, all broadcast and
unknown-unicast traffic goes only to the uplink ports, not to the other ports in the VLAN.
To configure a port-based VLAN containing uplink ports, enter commands such as the following:
ServerIron(config)# vlan 10 by port
2-8
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
ServerIron(config-vlan-10)# untag ethernet 1/1 to 1/24
ServerIron(config-vlan-10)# untag ethernet 2/1 to 2/2
ServerIron(config-vlan-10)# uplink-switch ethernet 2/1 to 2/2
In this example, 24 ports on a 10/100 module and two Gigabit ports on a Gigabit module are added to port-based
VLAN 10. The two Gigabit ports are then configured as uplink ports.
Syntax: [no] uplink-switch ethernet <portnum> [to <portnum> | ethernet <portnum>]
Setting a Priority for a VLAN
When you assign a higher priority to a VLAN so that in times of congestion, it will receive precedence over other
transmissions. To do this, enter commands such as the following:
ServerIron(config)#vlan 25
ServerIron(config-vlan-25)#priority high
Syntax: [no] priority normal | high
Configuring an AppleTalk Protocol VLAN
You can create an AppleTalk protocol VLAN within a ServerIron port-based VLAN when entered at the VLAN
Level. All ports are assumed by default to be members of the VLAN when initially created.
To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports within
an already defined port-based VLAN 2, enter commands such as the following:
ServerIron(config)#vlan 2
ServerIron(config-vlan-2)#atalk-proto
ServerIron(config-vlan-atalk-proto)#static e 9 e 13
ServerIron(config-vlan-atalk-proto)#no dynamic
If configuring this on a switch, enter vlan 2 by port at the CONFIG Level versus vlan 2, as shown in the example.
Protocol VLAN membership can be modified using the dynamic, static, or exclude commands.
To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last
arguments in the command. For example, to name an AppleTalk VLAN:
ServerIron(config)#atalk-proto name AppleVLAN1
To name an IP VLAN:
ServerIron(config)#ip-proto 192.75.5.0/24 name "Ship and Recv"
This example shows how to specify a name that contains a blank. Use double quotation marks before and after
the name.
Syntax: [no] atalk-proto [<name>]
The <name> can be up to 16 characters long and can contain blanks.
Configuring a Decnet Protocol VLAN
You can create a Decnet protocol VLAN within a ServerIron port-based VLAN, when entered at the VLAN Level.
All ports are assumed by default to be members of the VLAN when initially created.
To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as dynamic
member port, within VLAN 5, enter the following commands.
ServerIron(config)#vlan 5
ServerIron(config-vlan-5)#decnet-proto
ServerIron(config-vlan-decnet-proto)#exclude e 1 to 14 e18
If configuring this on a switch, enter vlan 5 by port at the CONFIG Level versus vlan 5, as shown in the example
above.
Protocol VLAN membership can be modified using the dynamic, static, or exclude commands.
May 2012
© 2012 Brocade Communications Systems, Inc.
2-9
ServerIron Switching and Routing Guide
Syntax: [no] decnet-proto [<name>]
To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last
arguments in the command. The name can contain blank spaces if you use double quotation marks before and
after the name. The <name> can be up to 16 characters long and can contain blanks.
Configuring an IP Protocol VLAN
You can create an IP protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership
by using the static or exclude commands.
If configuring on a Brocade router, ports must be added to the VLAN with the static command. Ports are not
dynamically allocated to IP protocol VLANs.
To assign ports 1, 2, 6 and 8 to an IP protocol VLAN within VLAN 7, enter commands such as the following:
ServerIron(config)#vlan 7
ServerIron(config-vlan-7)#ip-proto
ServerIron(config-vlan-ip-proto)#static e 1 to 2 e 6 e 8
If configuring this on a switch, enter vlan 7 by port at the CONFIG Level versus vlan 7, as shown in the example
above.
Syntax: [no] ip-proto [<name>]
The <name> can be up to 16 characters long and can contain blanks.
An IP protocol and IP sub-net VLAN cannot both be configured to operate on a ServerIron at the same time. This
restriction is also true for IPX and IPX network VLANs.
Configuring an IP Subnet Protocol VLAN
You can create an IP subnet protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN
Level. This allows you to define additional granularity than that of an IP protocol VLAN, by partitioning the
broadcast domains by sub-net. In creating an IP subnet VLAN, an IP address is used as identifier.
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership
by using the static or exclude commands.
When configuring on a Brocade router, ports must be added to the VLAN with the static command. Ports are not
dynamically allocated to IP subnet VLANs.
To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2 (module 2), within
VLAN 10, enter commands such as the following:
ServerIron(config)#vlan 10
ServerIron(config-vlan-10)#ip-subnet 192.75.3.0 255.255.255.0
ServerIron(config-vlan-ip-subnet)#static e 1 to 2
If configuring this on a switch, enter vlan 10 by port at the CONFIG Level versus vlan 10, as shown in the
example.
Syntax: [no] ip-subnet <ip-addr> <ip-mask> [<name>]
The <name> can be up to 16 characters long and can contain blanks.
An IP protocol and IP sub-net VLAN cannot both be configured to operate simultaneously on a Brocade switch or
router. This restriction is also true for IPX and IPX Network VLANs.
Configuring an IPX Network VLAN
You can create an IPX network VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.
This command you to define additional granularity than that of the IPX protocol VLAN, by partitioning the
broadcast domains by IPX network number. In creating an IPX network VLAN, an IPX network number is used as
identifier. The frame type must also be specified.
2 - 10
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership
by using the static or exclude commands.
When configuring on a Brocade router, ports must be added to the VLAN with the static command. Ports are
not dynamically allocated to IPX network VLANs.
To create an IPX network VLAN with a network number of 500 and frame type of 802.2 with permanent port
membership of 10 and 14 within port-based VLAN 15, enter commands such as the following:
ServerIron(config)#vlan 15
ServerIron(config-vlan-15)#ipx-network 500 ethernet_802.2
ServerIron(config-vlan-ipx-proto)#static e 10 e 14
If configuring this on a switch, enter vlan 15 by port at the CONFIG Level versus vlan 15, as shown in the
example above.
Syntax: [no] ipx-network <ipx-network-number> <frame-type> [<name>]
Possible <frame-type> values include ethernet_ii, ethernet_802.2, ethernet_802.3, and ethernet_snap. The
<name> parameter can be up to 16 characters long and can contain blanks.
An IPX network and IPX protocol VLAN cannot both be configured to operate simultaneously on a Brocade switch
or router. This restriction is also true for IP protocol and IP sub-net VLANs.
Configuring an IPX Protocol VLAN
You can create an IPX protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN
Level.
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership
by using the static or exclude commands.
If configuring on a Brocade router, ports must be added to the VLAN with the static command. Ports are not
dynamically allocated to IPX protocol VLANs.
To assign ports 1, 2, 6 and 8 to an IPX protocol VLAN within port-based VLAN 22, enter commands such as the
following:
ServerIron(config)#vlan 22
ServerIron(config-vlan-22)#ipx-proto
ServerIron(config-vlan-ipx-proto)#static e 1 to 2 e 6 e 8
If configuring this on a switch, enter vlan 22 by port at the CONFIG Level versus vlan 22, as shown in the
example above.
Syntax: [no] ipx-proto [<name>]
The <name> can be up to 16 characters long and can contain blanks. To specify a VLAN name, use the name
keyword followed by a string. The name keyword and string are the last arguments in the command. The name
can contain blank spaces if you use double quotation marks before and after the name.
An IPX protocol and IPX network VLAN cannot both be configured to operate simultaneously on a Brocade switch
or router. This restriction is also true for IP and IP sub-net VLANs.
Configuring a NetBIOS Protocol VLAN
You can create a NetBIOS protocol VLAN. The name appears in VLAN show displays. All ports of the system are
assumed, by default, to be members of the VLAN when initially created. VLAN Membership can be modified
using the dynamic, static, or exclude commands.
To create a NetBIOS Protocol VLAN on an 18 port device with permanent port membership of 4 and 5 and ports 8
through 12 as dynamic member ports, enter commands such as the following:
ServerIron(config)#netbios-proto
ServerIron(config-netbios-proto)#static e4 e5
ServerIron(config-netbios-proto)#exclude e1 to 3 e6 e7 e13 to 18
Syntax: [no] netbios-proto [<name>]
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 11
ServerIron Switching and Routing Guide
The <name> can be up to 16 characters long and can contain blanks
Configuring Another Protocol VLAN
You can create another protocol VLAN on the system. All ports of the switch are by default dynamically assigned
to the newly created VLAN. VLAN Membership can be modified using the dynamic, static, or exclude
commands.
You can use this option to define a protocol-based VLAN for protocols that are not specified as supported protocol
VLANs on a switch or router, or do not require dedicated, separate broadcast domains.
On a 16 port ServerIron, ports 13 through 16 represent protocols Decnet and AppleTalk. You do not need to
separate traffic by protocol into separate broadcast domains. Instead, create an Other Protocol VLAN with just
those ports as members:
ServerIron(config)#other-proto
ServerIron(config-other-proto)#static e13 to 16
ServerIron(config-other-proto)#exclude e1 to 12
ServerIron(config-other-proto)#exit
Syntax: [no] other-proto [<name>]
Dual-Mode VLAN Ports
Configuring a tagged port as dual-mode allows it to accept and transmit both tagged and untagged traffic
simultaneously. A dual-mode port accepts and transmits frames belonging to VLANs configured for the port, as
well as frames belonging to the default VLAN (untagged traffic).
For example, in Figure 2.1, port 2/11 is a dual-mode port belonging to VLAN 20. Traffic for VLAN 20, as well as
traffic for the default VLAN, flows from a hub to this port. The dual-mode feature allows traffic for VLAN 20 and
untagged traffic to go through the port at the same time.
Figure 2.1
Dual-mode VLAN port example
VLAN 20
Traffic
Untagged
Traffic
Hub
Port 2/11
Tagged, VLAN 20
dual-mode
Port 2/9
Tagged, VLAN 20
VLAN 20
Traffic
Port 2/10
Untagged
Untagged
Traffic
To enable the dual-mode feature on port 2/11 in Figure 2.1 enter the following commands:
ServerIron(config)#vlan 20
ServerIron(config-vlan-20)#tagged e 2/11
ServerIron(config-vlan-20)#tagged e 2/9
ServerIron(config-vlan-20)#int e 2/11
2 - 12
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
ServerIron(config-if-e100-2/11)#dual-mode
ServerIron(config-if-e100-2/11)#exit
Syntax: [no] dual-mode
Starting with Release 09.5.02a, you can configure a dual-mode port to transmit traffic for a specified VLAN (which
is defined as Default VLAN) as untagged, while transmitting traffic for other VLANs as tagged. Figure 2.2
illustrates this enhancement.
Figure 2.2
Specifying a default VLAN ID for a dual-mode port
VLAN 10
Untagged
Traffic
VLAN 10
Untagged
Traffic
Dual-mode Port 2/11
Default VLAN ID 10
Tagged, VLAN 20
Port 2/10
Untagged, VLAN 10
Hub
Port 2/9
Tagged, VLAN 20
VLAN 20
Tagged
Traffic
VLAN 20
Tagged
Traffic
In Figure 2.2, tagged port 2/11 is a dual-mode port belonging to VLANs 10 and 20. The default VLAN assigned to
this dual-mode port is 10. This means that the port transmits tagged traffic on VLAN 20 (and all other VLANs to
which the port belongs) and transmits untagged traffic on VLAN 10.
The dual-mode feature allows tagged traffic for VLAN 20 and untagged traffic for VLAN 10 to go through port 2/11
at the same time. A dual-mode port transmits only untagged traffic on its default VLAN (that is, either VLAN 1, or
a user-specified VLAN ID), and only tagged traffic on all other VLANs.
The following commands configure VLANs 10 and 20 in Figure 2.2. Tagged port 2/11 is added to VLANs 10 and
20, then designated a dual-mode port whose specified default VLAN is 10. In this configuration, port 2/11
transmits only untagged traffic on VLAN 10 and only tagged traffic on VLAN 20.
ServerIron(config)#vlan 10 by port
ServerIron(config-vlan-10)#untagged e 2/10
ServerIron(config-vlan-10)#tagged e 2/11
ServerIron(config-vlan-10)#exit
ServerIron(config)#vlan 20 by port
ServerIron(config-vlan-20)#tagged e 2/9
ServerIron(config-vlan-20)#tagged e 2/11
ServerIron(config-vlan-20)#exit
ServerIron(config)#int e 2/11
ServerIron(config-if-e100-2/11)#dual-mode 10
ServerIron(config-if-e100-2/11)#exit
Syntax: [no] dual-mode [<vlan-id>]
Notes:
•
If you do not specify a <vlan-id> in the dual mode command, the port’s default VLAN is set to 1. The port
transmits untagged traffic on the DEFAULT-VLAN.
•
The dual-mode feature is disabled by default. Only tagged ports can be configured as dual-mode ports.
•
In trunk group, either all of the ports must be dual-mode, or none of them can be.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 13
ServerIron Switching and Routing Guide
The show vlan command displays a separate row for dual-mode ports on each VLAN. For example:
ServerIron(config)#show vlan
Total PORT-VLAN entries: 3
Maximum PORT-VLAN entries: 16
legend: [S=Slot]
PORT-VLAN
Untagged
Untagged
Untagged
Tagged
Uplink
DualMode
PORT-VLAN
Untagged
Tagged
Uplink
DualMode
PORT-VLAN
Untagged
Tagged
Uplink
DualMode
1, Name DEFAULT-VLAN, Priority level0, Spanning
Ports: (S1) 1 2 3 4 5 6 7 8
Ports: (S2) 1 2 3 4 5 6 7 8 12 13 14 15
Ports: (S2) 20 21 22 23 24
Ports: None
Ports: None
Ports: None
10, Name [None], Priority level0, Spanning tree
Ports: (S2) 10
Ports: None
Ports: None
Ports: (S2) 11
20, Name [None], Priority level0, Spanning tree
Ports: None
Ports: (S2) 9
Ports: None
Ports: (S2) 11
tree Off
16 17 18 19
Off
Off
MAC Filters
The following sections describe how to configure MAC filters for Layer 2 operations.
Configuring Filters for Layer 2 Filtering
A MAC filter enables you to explicitly permit or deny switching of a Layer 2 packet received by the Brocade device.
When the device receives a Layer 2 packet for switching, the device checks the packet’s contents against the
defined MAC filters. If the packet matches a filter, the system takes the action specified in the filter.
•
If the action is permit, the system allows the packet to be switched.
•
If the action is deny, the system immediately drops the packet.
To ensure security, if a packet does not match any of the MAC filters defined on the system, the system drops the
packet by default. To configure the system to permit packets by default, you must define the last MAC filter in the
filter list to allow all packets.
MAC filters can evaluate packets based on criteria such as source address and mask, destination address and
mask, and protocol type (IP, ARP, and so on).
NOTE: You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use IP filters.
NOTE: You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use ACLs.The
standard and extended ACLs described in that chapter are supported on the ServerIron.
To define filters for Layer 2 filtering on MAC addresses, enter commands such as the following:
ServerIron(config)#mac filter 1 deny 3565.3475.3676 ffff.0000.0000 any etype eq 806
ServerIron(config)#mac filter 1024 permit any any
ServerIron(config)#int e 1/1
2 - 14
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
ServerIron(config-if-1/1)#mac filter-group 1
These commands configure a filter to deny ARP traffic with a source MAC address that begins with “3565” to any
destination. The second filter permits all traffic that is not denied by another filter.
After you define the filters, you apply them to individual interfaces using the mac filter-group command.
Syntax: [no] mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask> | any etype | IIc |
snap eq | gt | lt | neq <frame-type>
The <filter-num> is 1 – 64 (64 is the default system-max setting). If you use the system-max mac-filter-sys
command, you can increase the maximum number of MAC filters support to 128 for global filter definitions.
The permit | deny argument determines the action the software takes when a match occurs.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address
value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f’s
(ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask
ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes.
The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask.
In this case, the filter matches on all MAC addresses.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same
as those for the <src-mac> <mask> | any parameter.
Use the etype | llc | snap argument if you want to filter on information beyond the source and destination address.
The MAC filter allows for you to filter on the following encapsulation types:
•
etype (Ethertype) – a two byte field indicating the protocol type of the frame. This can range from 0x0600 to
0xFFFF.
•
llc (IEEE 802.3 LLC1 SSAP and DSAP) – a two byte sequence providing similar function as the EtherType
but for an IEEE 802.3 frame.
•
snap (IEEE 802.3 LLC1 SNAP) – a specific LLC1 type packet.
To determine which type of frame is used on your network, use a protocol analyzer. If byte 12 of an Ethernet
packet is equal to or greater than 0600 (hex), it is an Ethernet framed packet. Any number below this indicates an
IEEE 802.3 frame (byte 12 will now indicate the length of the data field). Some well-known Ethernet types are
0800 (TCP/IP), 0600 (XNS), and 8137 (Novell Netware). Refer to RFC 1042 for a complete listing of EtherTypes.
For IEEE 802.3 frame, you can further distinguish the SSAP and DSAP of LLC header. Some well-known SAPs
include: FE (OSI), F0 (NetBIOS), 42 (Spanning Tree BPDU), and AA (SNAP). Usually the DSAP and SSAP are
the same.
NOTE: You must type in both bytes, otherwise the software will fill the field, left justified with a 00. Refer to RFC
1042 for a complete listing of SAP numbers.
SNAP is defined as an IEEE 802.3 frame with the SSAP, DSAP, and control field set to AA, AA, and 03.
Immediately following these is a five-byte SNAP header. The first three bytes in this header are not used by the
MAC filters. However, the next two bytes usually are set to the EtherType, so you can define the EtherType inside
the SNAP header that you want to filter on.
The eq | gt | lt | neq argument specifies the possible operator: eq (equal), gt (greater than), lt (less than) and neq
(not equal).
The <frame-type> argument is a hexadecimal number for the frame type. For example, the hex number for ARP is
806.
The mac filter-group <filter-list> applies a group of MAC filters to the interface. The filters must be applied as a
group. For example, if you want to apply four filters to an interface, they must all appear on the same command
line. You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the
filter group again containing all the filters you want to apply to the port. If you apply a filter group to a port that
already has a filter group applied, the older filter group is replaced by the new filter group.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 15
ServerIron Switching and Routing Guide
NOTE: Once you define a MAC filter, the device drops Layer 2 traffic that does not match a MAC permit filter.
Additional Examples of Layer 2 MAC Filter Definitions
ServerIron(config)#mac filter 1 permit any any etype eq 0800
This filter configures the device to permit (forward) any inbound packet with the Ethertype field set to 0800 (IP).
ServerIron(config)#mac filter 2 deny 0080.0020.000 ffff.ffff.0000 any etype eq 0800
This filter configures the device to deny an inbound packet with the first four bytes set to 0800.0020.xxxx and an
EtherType field set to 0800 (IP). The destination field does not matter.
ServerIron(config)#mac filter 3 deny any 00e0.5200.1234 ffff.ffff.ffff snap eq 0800
This filter configures the device to deny any inbound IEEE 802.3 packet with a destination set to 00e0.5200.1234
and a SNAP EtherType set to 0800. The source address does not matter.
ServerIron(config)#mac filter 32 permit any any
This filter permits all packets. This filter is used as the last filter assigned in a filter-group that has previous deny
filters in the group.
Abbreviating the Address or Mask
Address and Mask abbreviations are allowed. However, be careful when configuring them. The default fill
character is a 0 and it will fill a byte range as left justified. This applies only to the MAC address and mask. A
range of frame types cannot be filtered. Each frame type must be entered. Here are some examples.
ServerIron(config)#mac filter 1 deny 0800.0700 ffff.ff00 any
This command expands to the following: mac filter 1 deny 0800.0700.0000 ffff.ff00.0000. The
filter shown above denied forwarding of an inbound frame that has the source address set to 080007 as the first
three bytes. All other information is not significant.
Here is another example of the fill feature:
ServerIron(config)#mac filter 2 deny 0260.8C00.0102 0.0.ffff any
This command expands to the following: mac filter 1 deny 0260.8C00.0102 0000.0000.ffff any
Since the fill character is 0's and the fill is left justified, certain filters will not allow for abbreviations. For example,
suppose you want to deny an inbound packet that contained a broadcast destination address. Enter the following
command:
ServerIron(config)#mac filter 5 deny any ff ff
This command contains a destination of address all F's and mask of F's. The command expands to the following:
ServerIron(config)#mac filter 1 deny any 00ff.0000.0000 00ff.0000.0000
Here is another example for DSAP and SSAP:
ServerIron(config)#mac filter 10 deny any any llc eq F0
This command expands to the following: mac filter 2 deny any any llc eq 00f0
If you want to filter on both the SSAP and DSAP, then the following example shows this:
ServerIron(config)#mac filter 4 deny any 0020.0010.1000 ffff.ffff.0000 llc eq e0e0
Setting the MAC Age Time
To set the aging period for all address entries in the switch or router address table, enter the following command:
ServerIron(config)#mac-age 600
Syntax: [no] mac-age-time <value>
The <value> is 0 – 65535 seconds. The default is 300 seconds. If you specify 0, the entries do not age.
2 - 16
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Enabling Logging of Packets Denied by Layer 2 MAC Filters
When you enable this feature, the device generates Syslog entries and SNMP traps for denied packets.
To enable logging of packets that are denied by Layer 2 MAC filters, enter the following command:
ServerIron(config)#mac filter log-enable
Syntax: [no] mac filter log-enable
Address-Lock Filters
An address-lock filter restricts the number of MAC addresses that a switch can learn from a specific port. After
the switch learns the specified number of MAC addresses from the port, the switch stops learning addresses
received on that port. In addition, the switch does not accept or forward traffic on the port unless the traffic
contains one of the source or destination MAC addresses locked for the port.
Address-lock filters apply only to Layer 2 traffic and do not affect Layer 3 or Layer 4 traffic on the locked ports.
Unlike addresses learned from other ports, addresses learned from a locked port are not subject to aging.
Configuring a Broadcast Filter
You can filter on all broadcast traffic or on IP UDP broadcast traffic.
To configure a Layer 2 broadcast filter to filter all types of broadcasts, then apply the filter to ports 1, 2, and 3, enter
commands such as the following:
ServerIron(config)# broadcast filter 1 any
ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 3
ServerIron(config-bcast-filter-id-1)# write mem
To configure two filters, one to filter IP UDP traffic on ports 1 – 4, and the other to filter all broadcast traffic on port
6, enter commands such as the following:
ServerIron(config)# broadcast filter 1 ip udp
ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 4
ServerIron(config-bcast-filter-id-1)# exit
ServerIron(config)# broadcast filter 2 any
ServerIron(config-bcast-filter-id-2)# exclude-ports ethernet 6
ServerIron(config-bcast-filter-id-2)# write mem
To configure an IP UDP broadcast filter and apply that applies only to port-based VLAN 10, then apply the filter to
two ports within the VLAN, enter commands such as the following:
ServerIron(config)# broadcast filter 4 ip udp vlan 10
ServerIron(config-bcast-filter-id-4)# exclude-ports eth 1 eth 3
ServerIron(config-bcast-filter-id-1)# write mem
Syntax: [no] broadcast filter <filter-id> any | ip udp [vlan <vlan-id>]
The <filter-id> specifies the filter number and can be a number from 1 – 8. The software applies the filters in
ascending numerical order. As soon as a match is found, the software takes the action specified by the filter
(block the broadcast) and does not compare the packet against additional broadcast filters.
You can specify any or ip udp as the type of broadcast traffic to filter. The any parameter prevents all broadcast
traffic from being sent on the specified ports. The ip udp parameter prevents all IP UDP broadcasts from being
sent on the specified ports but allows other types of broadcast traffic.
If you specify a port-based VLAN ID, the filter applies only to the broadcast domain of the specified VLAN, not to
all broadcast domains (VLANs) on the device.
As soon as you press Enter after entering the command, the CLI changes to the configuration level for the filter
you are configuring. You specify the ports to which the filter applies at the filter's configuration level.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 17
ServerIron Switching and Routing Guide
Syntax: [no] exclude-ports ethernet <portnum> to <portnum>
Or
Syntax: [no] exclude-ports ethernet <portnum> ethernet <portnum>
These commands specify the ports to which the filter applies.
NOTE: This is the same command syntax as that used for configuring port-based VLANs. Use the first
command for adding a range of ports. Use the second command for adding separate ports (not in a range). You
also can combine the syntax. For example, you can enter exclude-ports ethernet 1/4 ethernet 2/6 to 2/9.
Setting the Broadcast Limit
You can specify the maximum number of broadcast packets the device can forward each second. By default the
device sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware.
However, if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to
relieve those devices by throttling the broadcasts at the device.
The broadcast limit does not affect multicast or unicast traffic. However, you can use the multicast limit and
unknown-unicast limit <limit> global commands to control these types of traffic. The unknown-unicast limit
command specifies the maximum number of unknown-unicast packets the device can forward each second. By
default the device sends unknown unicasts and all other traffic at wire speed and is limited only by the capacities
of the hardware. However, if other devices in the network cannot handle unlimited unknown-unicast traffic, this
command allows you to relieve those devices by throttling the unknown unicasts at the Brocade device.
For example, enter the following command:
ServerIron(config)#broadcast limit 30000
To enable an interface specific configuration, enter commands such as the following:
ServerIron(config)#int e 6
ServerIron(config-if-6)#broadcast limit 30000
Syntax: [no] broadcast limit <num>
Assigning a Gateway List
Dynamic Host Configuration Protocol (DHCP) Assist allows a Brocade switch to assist a router that is performing
multinetting on its interfaces as part of its DHCP relay function. DHCP eliminates the need to manually assign IP
addresses to clients. Instead of each client having a statically configured IP address, clients petition a server for
IP addresses when the clients are booted.
DHCP Assist ensures that a DHCP server that manages multiple IP subnets can readily recognize the requester’s
IP sub-net, even when that server is not on the client’s local LAN segment. The Brocade switch does this by
stamping the correct gateway IP address into a DHCP discovery packet on behalf of the router.
Use the dhcp-gateway-list <num> <ip-addr> command when DHCP Assist is enabled on a Brocade switch. A
gateway address must be defined for each sub-net that will be requesting addresses from a DHCP server. This
allows the stamping process to occur. Each gateway address defined on the switch corresponds to an IP address
of the ServerIron interface or other device involved.
Up to eight addresses can be defined for each gateway list in support of ports that are multi-homed. When
multiple IP addresses are configured for a gateway list, the switch inserts the addresses into the discovery packet
in a round robin fashion.
Up to 32 gateway lists can be defined for each switch.
For example, enter the following command:
ServerIron(config)#dhcp-gateway-list 1 192.95.5.1
2 - 18
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Or, assign it to a specific interface:
ServerIron(config)#int e 2
ServerIron(config-if-2)#dhcp-gateway-list 1
Syntax: [no] dhcp-gateway-list <num> <ip-addr>
Multicast
Enabling IP Multicast Traffic Reduction
IP multicast containment allows Brocade switches to limit switching of IP multicast packets to only those ports on
the switch that are identified as IP multicast members. Brocade switches can provide IP multicast containment in
either of the following modes:
•
Passive—The switch listens for Internet Group Membership Protocol (IGMP) packets and forwards them to
the appropriate ports.
•
Active—The switch actively sends out host queries to identify IP multicast groups on the network and inserts
this information into the IGMP packets.
Routers in the network generally handle host queries. Unless your configuration does not contain a router to
provide this service, use IP multicast containment in the passive mode.
The ServerIron can operate in either an active or passive IP multicast mode. You must save changes to flash
and reset (reload) the switch for the configuration changes to become active.
If configured to be active, the switch will actively send out host queries to identify IP Multicast groups on the
network and insert this information in the IGMP packet. Routers in the network generally handle this operation
If configured to be passive, the switch will only identify the packet as an IGMP packet and forward it accordingly.
To enable IP Multicast Traffic Reduction, enter commands such as the following:
ServerIron(config)#ip multicast passive
ServerIron(config)#write memory
ServerIron(config)#end
ServerIron#reload
Syntax: [no] ip multicast active | passive
Configuring a Multicast Filter
You can filter on all multicast packets or on specific multicast groups.
To configure a Layer 2 multicast filter to filter all multicast groups, then apply the filter to ports 2/4, 2/5, and 2/8,
enter commands such as the following:
ServerIron(config)#multicast filter 1 any
ServerIron(config-mcast-filter-id-1)#exclude-ports e 2/4 to 2/5 e 2/8
ServerIron(config-mcast-filter-id-1)#write mem
To configure a multicast filter to block all multicast traffic destined for multicast addresses 0100.5e00.5200 –
0100.5e00.52ff on port 4/8, enter commands such as the following:
ServerIron(config)#multicast filter 2 any 0100.5e00.5200 ffff.ffff.ff00
ServerIron(config-mcast-filter-id-2)#exclude-ports ethernet 4/8
ServerIron(config-mcast-filter-id-2)#write mem
The software calculates the range by combining the mask with the multicast address. In this example, all but the
last two bits in the mask are “significant bits” (ones). The last two bits are zeros and thus match on any value.
Syntax: [no] multicast filter <filter-id> any | ip udp mac <multicast-address> | any [mask <ip-mask>] [vlan <vlanid>]
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 19
ServerIron Switching and Routing Guide
The parameter values are the same as the for the broadcast filter command. In addition, the multicast filter
command requires the mac <multicast-address> | any parameter, which specifies the multicast address. Enter
mac any to filter on all multicast addresses. Enter mac followed by a specific multicast address to filter only on
that multicast address.
To filter on a range of multicast addresses, use the mask <ip-mask> parameter. For example, to filter on multicast
groups 0100.5e00.5200 – 0100.5e00.52ff, use mask ffff.ffff.ff00. The default mask matches all bits (is all Fs). You
can leave the mask off if you want the filter to match on all bits in the multicast address.
Setting the Multicast Limit
By default, the device sends multicasts and all other traffic at wire speed and is limited only by the capacities of the
hardware. However, if other devices in the network cannot handle unlimited multicast traffic, this command allows
you to relieve those devices by throttling the multicasts at the Brocade device.
NOTE: The multicast limit does not affect broadcast or unicast traffic. However, you can use the broadcast limit
and unknown-unicast limit commands to control these types of traffic.
To specify the maximum number of multicast packets the device can forward each second, enter the following
command:
ServerIron(config)#multicast limit 30000
To put the multicast limit on a specific interface, enter commands such as the following:
ServerIron(config)#interface e5
ServerIron(config-if-5)#multicast limit 30000
Syntax: [no] multicast limit <num>
<num> can be 0 – 4294967295.
Disabling IGMP Queries
You can disable Internet Group Membership Protocol (IGMP) queries from being sent or received on the port.
IGMP queries are enabled by default.
To disable IGMP queries on an interface, enter commands such as the following:
ServerIron(config)#int e5
ServerIron(config-if-5)#ip-multicast-disable
To re-enable the IGMP queries on the interface, enter a command such as the following:
ServerIron(config-if-5)#no ip-multicast-disable
Syntax: [no] ip-multicast-disable
Notes:
•
This feature is supported only in hot-standby configurations.
•
IP forwarding must be enabled on the ServerIron
•
The backup MAC address in the hot-standby configuration must be the first port MAC address of one of the
ServerIrons.
•
All VIPs on the device must be in a VE subnet.
•
This feature is not supported in SSLB, TCS, FWLB, or IP NAT configurations.
Adding an IP Interface
To add an IP interface to the ServerIron, you must first add a virtual routing interface and then configure IP
addresses on it.
2 - 20
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
To add a virtual routing interface, enter commands such as the following:
ServerIron(config)# vlan 1
ServerIron(config-vlan-1)# router-interface ve 1
The vlan 1 command changes the CLI to the configuration level for VLAN 1. The router-interface ve 1 command
adds virtual routing interface 1.
Syntax: [no] router-interface ve <num>
The <num> parameter specifies the interface ID and can be from 1 – 24.
After you add a virtual routing interface, you can add up to 64 IP interfaces to the virtual routing interface. To add
an IP interface, use the following CLI method.
NOTE: When you add an IP interface to a virtual routing interface and the interface is up, the software adds a
directly-connected static IP route to the route table for the address’ sub-net. The software does not add the route
unless the interface is up.
NOTE: For IP forwarding to work properly, you must add an IP interface that is in the same sub-net as the
management IP address. This is true regardless of whether you plan to allow management access from other
sub-nets.
NOTE: Do not configure a virtual routing interface to have the same IP address as the ServerIron’s management
address.
To add an IP interface, enter commands such as the following:
ServerIron(config)# interface ve 1
ServerIron(config-vif-1)# ip address 10.10.10.1 255.255.255.0
The interface ve 1 command changes the CLI to the configuration level for virtual routing interface 1. The ip
address command adds an IP interface.
Syntax: [no] ip address | nat-address | standby-address <ip-addr> <ip-mask> I <ip-addr>/<mask-bits>
The address | nat-address | standby-address parameter identifies the type of IP interface you are adding.
•
The address parameter adds a standard IP interface. This option is applicable in most cases.
•
The nat-address parameter applies to active-standby configurations. This parameter configures a shared IP
interface for use with SLB source NAT. Enter the same command with the same IP address on each of the
ServerIron’s in the active-standby configuration. The address is active only on one ServerIron’ (the
ServerIron’ that is currently active) at a time.
•
The standby-address parameter applies to active-standby configurations and allows both ServerIrons to
share the same router interface. One of the ServerIrons actively supports the interface while the other
ServerIron provides failover for the interface if the first ServerIron becomes unavailable. Real servers can use
the shared interface as their default gateway. Enter the same command with the same IP address on each of
the ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the
ServerIron that is currently active) at a time.
The <ip-addr> parameter specifies the IP address.
The <ip-mask> parameter specifies a class-based (or “Classical”) IP sub-net mask.
The <mask-bits> parameter specifies the number of significant bits in a Classless Interdomain Routing (CIDR)
sub-net mask.
You can use either format to configure the interface. For example, both the following commands are valid and
produce the same result:
•
ip address 10.10.10.1 255.255.255.0
•
ip address 10.10.10.1/24
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 21
ServerIron Switching and Routing Guide
Adding a Static IP Route
The software places the static route in the IP route table only if the virtual routing interface is up.
To add a static IP route to the 209.157.2.x/24 sub-net, enter a command such as the following:
ServerIron(config)#ip route 209.157.2.0 255.255.255.0 192.168.2.1
Syntax: [no] ip route <dest-ip-addr> <dest-mask> <next-hop-ip-addr> | null0 [<metric>]
Syntax: [no] ip route <dest-ip-addr>/<mask-bits> <next-hop-ip-addr> | null0 [<metric>]
The <dest-ip-addr> parameter specifies the route’s destination. The <dest-mask> is the network mask for the
route’s destination IP address. Alternatively, you can specify the network mask information by entering a forward
slash followed by the number of bits in the network mask. For example, you can enter 192.0.0.0 255.255.255.0 as
192.0.0.0/.24. To configure a default route, enter 0.0.0.0 for <dest-ip-addr> and 0.0.0.0 for <dest-mask> (or 0 for
the <mask-bits> if you specify the address in CIDR format). Specify the IP address of the default gateway using
the <next-hop-ip-addr> parameter.
The <next-hop-ip-addr> parameter specifies the IP address of the next-hop router (gateway) for the route. If you
specify null0 instead of a next hop IP address, the ServerIron discards packets addressed to the route’s
destination IP address instead of forwarding them to another device.
If you add a default route, the gateway address of the route replaces the default gateway address configured by
the ip default-gateway command. Likewise, if you use the ip default-gateway command to change the default
gateway address, the gateway address in the default route is automatically changed also.
The <metric> parameter specifies the cost of the route and can be a number from 1 – 16. The default is 1. The
metric is used by RIP. If you do not enable RIP, the metric is not used.
NOTE: The ServerIron supports IP fragmentation but is not in the position to perform IP fragmentation. It is
recommended to perform IP fragmentation on routers connecting to the ServerIron.
Adding a Static ARP Entry
Static entries are useful in cases where you want to pre-configure an entry for a device that is not connected to the
ServerIron, or you want to prevent a particular entry from aging out. The software removes a dynamic entry from
the ARP cache if the ARP aging interval expires before the entry is refreshed. Static entries do not age out,
regardless of whether the ServerIron receives an ARP request from the device that has the entry’s address. The
software places a static ARP entry into the ARP cache as soon as you create the entry.
To add a static ARP entry, enter commands such as the following:
ServerIron(config)#arp 1 209.157.22.3 aaaa.bbbb.cccc ethernet 3
This command adds a static ARP entry that maps IP address 209.157.22.3 to MAC address aaaa.bbbb.cccc. The
entry is for a MAC address connected to ServerIron port 3.
Syntax: [no] arp <num> <ip-addr> <mac-addr> ethernet <portnum> [vlan <vlan-id>]
The <num> parameter specifies the entry number. You can specify a number from 1 up to the maximum number of
static entries allowed on the device. You can allocate more memory to increase this amount to 128 entries. See
“Setting System Max” on page 2-23.
The <ip-addr> parameter specifies the IP address of the device that has the MAC address of the entry.
The <mac-addr> parameter specifies the MAC address of the entry.
The ethernet <portnum> parameter specifies the port number attached to the device that has the MAC address of
the entry.
The vlan <vlan-id> parameter specifies the port-based VLAN the entry belongs to. This parameter is required if
the port you specify is a member of more than one port-based VLAN. Otherwise, the parameter is optional.
To display the static ARP entries, see “Displaying Static ARP Entries” on page 2-28.
2 - 22
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
NOTE: You can add static ARP entries regardless of whether IP forwarding is enabled. On software release
08.x.xxR, you must create the static MAC that corresponds to the static ARP before creating a static ARP entry.
Clearing the ARP Cache
To remove all data from the ARP cache, enter the following commad:
ServerIron# clear arp
To clear all ARP entries for port 2 on the module in slot 3, enter commands such as the following:
ServerIron# clear arp ethernet 3/2
Syntax: clear arp [ethernet <num> | mac-address <xxxx.xxxx.xxxx> [<mask>] | <ip-addr> [<ip-mask>]]
Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits. Specify IP address masks in
standard decimal mask format (for example, 255.255.0.0).
NOTE: The clear arp command clears learned ARP entries but does not remove any static ARP entries.
Clearing the IP Cache
To remove all entries from the IP cache, enter the following command:
ServerIron# clear ip cache
Syntax: clear ip cache
Clearing the MAC Address Table
To remove all entries in the MAC address table, enter the following commad:
ServerIron#clear mac-address
Syntax: clear mac-address
Setting System Max
Use system-max <option> to modify the default settings for parameters that use system memory.
The configurable parameters and their defaults and maximums differ depending on the device.
Issue the show default values command to display the configurable parameters, their defaults. If you specify
default but not the optional values, the default states for parameters that can either be enabled or disabled are
displayed. If you also specify values, the default values for parameters that take a numeric value are displayed.
To increase the number of real servers available on the ServerIron, enter commands such as the following:
ServerIron(config)#system-max l4-real 2048
To increase the number of virtual servers available on the ServerIron, enter commands such as the following:
ServerIron(config)#system-max l4-virtual-server 512
To increase the number of TCP/UDP ports available on the ServerIron, enter a command such as the following:
ServerIron(config)#system-max l4-server-port 4095
To increase the number of TCP buffers available on the ServerIron, enter a command such as the following:
ServerIron(config)#system-max tcp-buffer 2048
To increase the number of SNMP views available on the ServerIron, enter a command such as the following:
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 23
ServerIron Switching and Routing Guide
ServerIron(config)#system-max view 15
Syntax: [no] system-max <option>
<option> can be any of the following:
•
l4-real-server <real-servers>—where <real-servers> can be from 64 – 2048.
•
l4-virtual-server <virtual-servers>—where <virtual-servers> can be from 64 – 512.
•
l4-server-port <number-of-ports>—where <number-of-ports> can be from 256 – 4096. The system max of
4096 includes the default port for each defined real server.
•
tcp-buffer <number-of-buffers>—where <number-of-buffers> can be from 128 – 2048. The ServerIron uses
TCP buffers for TCP sessions. Applications such as GSLB use many TCP buffers, since buffers are required
for TCP health checks as well as client connections with real servers. If you receive a message that the
ServerIron cannot perform a health check or other TCP tasks, you might need to allocate more memory for
TCP buffers.
•
<number-of-views>—specifies the maximum number of SNMPv2 and v3 views that can be configured on a
ServerIron. The number of views can be from 10 – 65536. The default is 10 views.
Adding a Static MAC Address
To define a static MAC addresses on an individual switch or switching port to ensure it is not aged out , enter
commands such as the following:
ServerIron(config)#static-mac-address 1145.5563.67FF e12 7 router-type
The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis
ServerIron. To create a static MAC entry that is associated with multiple ports:
ServerIron(config)#static-mac-address aaaa.bbbb.cccc ethernet 1 ethernet 3 to 5
This command creates a static MAC entry that is associated with port 1 and ports 3 – 5. The ServerIron forwards
traffic addressed to aaaa.bbbb.cccc out all the ports you specify, in this case 1, 3, 4, and 5.
If you enter the command at the global CONFIG level, the static MAC entry applies to the default port-based VLAN
(VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the entry applies to
that VLAN and not to the default VLAN.
If you want to include a trunk group when you configure a static MAC entry that has multiple ports, include only the
primary port of the trunk group. If you include all the trunk group’s ports, the ServerIron uses all the ports to
forward traffic for the MAC address instead of using only the active trunk port.
To enter a static MAC address entry for port 5, that is also resident in port-based VLAN 4, enter commands such
as the following:
ServerIron(config)#vlan 4
ServerIron(config-vlan-4)#static-mac-address 023.876.735 ethernet 5 high-priority
router-type
To create a static ARP entry for a static MAC entry, enter commands such as the following:
ServerIron(config)#arp 1 192.53.4.2 aaaa.bbbb.cccc ethernet 1
The arp command allows you to specify only one port number. To create a static ARP entry for a static MAC entry
that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static MAC entry.
Syntax: [no[ static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type | router-type]
The priority can be 0 – 7 (0 is lowest and 7 is highest). The default is host-type.
Brocade recommends that you configure a static ARP entry to match the static MAC entry. In fact, the software
automatically creates a static MAC entry when you create a static ARP entry. When a static MAC entry has a
corresponding static ARP entry, you cannot delete the static MAC entry unless you first delete the static ARP
entry.
2 - 24
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Displaying IP Forwarding Information
You can display the following IP forwarding information:
•
The IP forwarding state (enabled or disabled)
•
ARP entries
•
IP interfaces
•
The IP route table
•
IP traffic statistics
Displaying IP Forwarding State Information
To display IP forwarding state information as well as other global IP parameters, enter the following command at
any level of the CLI:
ServerIron(config)# show ip
Enabled : IP_Forwarding
Disabled : RIP
RIP-Redist
Switch IP address: 192.168.2.100
Subnet mask: 255.255.255.0
Default router address:
TFTP server address:
Configuration filename:
Image filename:
192.168.2.1
None
None
None
Syntax: show ip
This display shows the following information.
Table 2.1:
This Field...
CLI Display of Global IP Configuration Information
Displays...
IP configuration
IP Forwarding state
RIP state
The state of the IP forwarding feature. The state can be one of the
following:
•
Disabled
•
Enabled
The state of RIP. The state can be one of the following:
•
Disabled
•
Enabled
If route redistribution is enabled, “RIP -Redist” is displayed as well.
For information, see “Redistributing IP Static Routes into RIP” on
page 2-37.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 25
ServerIron Switching and Routing Guide
Table 2.1:
CLI Display of Global IP Configuration Information (Continued)
This Field...
Displays...
Switch IP address
The management IP address you configured on the ServerIron.
Specify this address for Telnet or Web management access.
Subnet mask
The sub-net mask for the management IP address.
Default router address
The address of the default gateway, if you specified one.
Note: When IP forwarding is enabled, the address is listed only if the
corresponding virtual interface is up. When IP forwarding is disabled,
the configured default gateway address is always displayed.
Most recent TFTP access
TFTP server address
The IP address of the most-recently contacted TFTP server, if the
ServerIron has contacted a TFTP server since the last time the
software was reloaded or the ServerIron was rebooted.
Configuration filename
The name under which the ServerIron’s startup-config file was
uploaded or downloaded during the most recent TFTP access.
Image filename
The name of the ServerIron flash image (system software file) that
was uploaded or downloaded during the most recent TFTP access.
Displaying the IP Host Table
To display the IP host table showing indexes to MAC addresses and the IP address of the next hop for ServerIrons
configured to operate in a multinetted environment, enter the following command:
ServerIron#[ 1] sh ip cache
IP
Mac
209.157.20.1
0000.0000.0000
Port Age VlanId
6
0
3144
Cam CamF
0
0
Hw FCnt
0
0
Syntax: show ip cache [<ip-addr> [<ip-addr>]]
Displaying the ARP Cache or the Static ARP Table
You can display the ARP cache or the static ARP table. The ARP table contains the static ARP entries, if any, you
configured on the device. The ARP cache contains all the ARP entries, including static entries.
To display the ARP cache, enter the following command at any level of the CLI:
ServerIron(config)# show arp
IP
Mac
10.10.10.10
00d0.0958.9b07
192.168.2.14
0050.04bb.81fa
192.168.2.1
00e0.5205.9056
192.168.2.157
00e0.2972.2ab5
192.168.2.15
0010.5ad1.3701
192.168.2.77
00e0.5202.de72
Total Arp Entries : 6
2 - 26
Type
Static
Static
Static
Dynamic
Dynamic
Dynamic
Port Age VlanId
9
15
15
15
15
15
© 2012 Brocade Communications Systems, Inc.
0
0
0
0
0
0
1
1
1
1
1
1
May 2012
Switching and Routing
Syntax: show arp [<ip-addr> [<ip-mask>] | ethernet <portnum> mac-address <xxxx.xxxx.xxxx> [<mask>]]
The <ip-addr> and <ip-mask> parameters let you restrict the display to entries for a specific IP address and
network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).
NOTE: The <ip-mask> parameter and <mask> parameter perform different operations. The <ip-mask>
parameter specifies the network mask for a specific IP address, whereas the <mask> parameter provides a filter
for displaying multiple MAC addresses that have specific values in common.
Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits. Specify IP address masks in
standard decimal mask format (for example, 255.255.0.0).
The ethernet <portnum> parameter lets you restrict the display to entries for a specific port.
The mac-address <xxxx.xxxx.xxxx> parameter lets you restrict the display to entries for a specific MAC address.
The <mask> parameter lets you specify a mask for the mac-address <xxxx.xxxx.xxxx> parameter, to display
entries for multiple MAC addresses. Specify the MAC address mask as “f”s and “0”s, where “f”s are significant
bits.
Here are some examples of how to use these commands.
The following command displays all ARP entries for MAC addresses that begin with “abcd”:
ServerIron# show arp mac-address a.b.c.d ffff.0000.0000
The following command displays all IP address entries for IP addresses that begin with "209.157":
ServerIron# show arp 209.157.0.0 255.255.0.0
This show arp command displays the following information.
Table 2.2:
CLI Display of ARP Cache
This Field...
Displays...
IP
The IP address of the device.
MAC
The MAC address of the device.
Type
The type, which can be one of the following:
•
Dynamic – The ServerIron learned the entry from an incoming
packet.
•
Static – You added the entry to the ARP table.
Port
The port on which the entry was learned.
Age
The number of minutes the entry has remained unused. If this value
reaches the ARP aging period, the entry is removed from the table.
Note: Static entries do not age out.
VlanId
The port-based VLAN that the ServerIron port connected to the
entry’s MAC address is in.
Total ARP Entries
The total number of entries in the cache. The total includes both
dynamic (learned) and static ARP entries.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 27
ServerIron Switching and Routing Guide
Displaying Static ARP Entries
To display static ARP entries, enter the following command at any level of the CLI:
ServerIron(config)# show ip static-arp
Static ARP table size: 64, configurable from 64 to 128
Index
IP Address
MAC Address
Port
1
10.10.10.10
00d0.0958.9b07
9
2
192.168.2.1
00e0.5205.9056
15
3
192.168.2.157
00e0.2972.2ab5
15
4
192.168.2.14
0050.04bb.81fa
15
5
192.168.2.15
0010.5ad1.3701
15
Syntax: show ip static-arp [<ip-addr> [<ip-mask>] | ethernet <portnum> mac-address <xxxx.xxxx.xxxx>
[<mask>]]
The parameters are the same as those for the show arp command.
The show ip static-arp command displays the following information.
Table 2.3:
CLI Display of Static ARP Table
This Field...
Displays...
Static ARP table size
The maximum number of static entries that can be configured on the
device using the current memory allocation. The range of valid
memory allocations for static ARP entries is listed after the current
allocation. To change the memory allocation for static ARP entries,
see “Setting System Max” on page 2-23.
Index
The number of this entry in the table. You specify the entry number
when you create the entry.
IP Address
The IP address of the device.
MAC Address
The MAC address of the device.
Port
The port attached to the device the entry is for.
Displaying a List of IP Interfaces
To display a list of the IP interfaces configured on the ServerIron, enter the following command at any level of the
CLI:
ServerIron(config)# show ip interface
Interface
IP-Address
OK? Method
Ve 1
192.168.2.1
YES manual
Ve 1
10.10.10.1
YES manual
Ve 1
20.20.20.1
YES manual
Ve 10
120.120.120.1
YES manual
Ve 10
130.130.130.1
YES manual
Status
up
up
up
down
down
Protocol
up
up
up
up
up
Syntax: show ip interface
2 - 28
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
This command displays the following information.
Table 2.4:
CLI Display of IP Interfaces
This Field...
Displays...
Interface
The virtual routing interface.
IP-Address
The IP address of the interface.
OK?
Whether the IP address has been configured on the interface.
Method
Whether the IP address has been saved in NVRAM. If you have set
the IP address for the interface in the CLI or Web Management
interface, but have not saved the configuration, the entry for the
interface in the Method field is “manual”.
Status
The link status of the interface. The status can be one of the
following:
Protocol
•
down
•
up
Whether the interface can provide two-way communication. If the IP
address is configured, and the link status of the interface is up, the
entry in the protocol field is “up”. Otherwise the entry in the protocol
field is “down”.
Displaying the IP Route Table
To display the IP route table, enter the following command at any level of the CLI:
ServerIron(config)# show ip route
Total number of IP routes: 9
Start index: 1 D:Connected S:Static *:Candidate default
Destination
NetMask
Gateway
1
10.10.10.0
255.255.255.0
0.0.0.0
2
20.20.20.0
255.255.255.0
0.0.0.0
3
50.50.50.0
255.255.255.0
20.20.20.10
4
60.60.60.0
255.255.255.0
20.20.20.10
5
70.70.70.0
255.255.255.0
120.120.120.10
6
120.120.120.0
255.255.255.0
0.0.0.0
7
130.130.130.0
255.255.255.0
0.0.0.0
8
192.168.2.0
255.255.255.0
0.0.0.0
9
0.0.0.0
0.0.0.0
192.168.2.1
Port
ve1
ve1
ve1
ve1
ve1
ve1
ve1
ve1
ve1
Cost
1
1
1
1
1
1
1
1
1
Type
D
D
S
S
S
D
D
D
S
Syntax: show ip route
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 29
ServerIron Switching and Routing Guide
This command displays the following information.
Table 2.5:
CLI Display of IP Route Table
This Field...
Displays...
Total number of IP routes
The total number of routes in the table, including routes that you
added and directly-connected routes the software added when you
added IP interfaces.
Start index
The starting entry number in the table.
Destination
The destination network of the route.
NetMask
The network mask of the destination address.
Gateway
The next-hop router.
Port
The virtual routing interface to which the route belongs.
Cost
The route's cost.
Type
The route type, which can be one of the following:
•
D – The destination is directly connected to the ServerIron.
•
R – The route is a RIP route.
•
S – The route is a static route.
Displaying IP Forwarding Traffic Statistics
To display IP forwarding traffic statistics, enter the following command at any level of the CLI:
ServerIron(config)# show ip traffic
IP Statistics
587 received, 593 sent, 14 forwarded
0 fragmented, 0 reassembled, 0 bad header
489 no route, 0 unknown proto, 0 no buffer, 9 other errors
Syntax: show ip traffic
This command displays the following information related to IP forwarding.
Table 2.6:
CLI Display of IP Forwarding Traffic Statistics
This Field...
Displays...
received
The total number of IP packets received by the device.
sent
The total number of IP packets originated and sent by the device.
forwarded
The total number of IP packets received by the device and forwarded
to other devices.
filtered
The total number of IP packets filtered by the device.
2 - 30
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Table 2.6:
CLI Display of IP Forwarding Traffic Statistics (Continued)
This Field...
Displays...
fragmented
The total number of IP packets fragmented by this device to
accommodate the MTU of this device or of another device.
reassembled
The total number of fragmented IP packets that this device reassembled.
bad header
The number of IP packets dropped by the device due to a bad packet
header.
no route
The number of packets dropped by the device because there was no
route.
unknown proto
The number of packets dropped by the device because the value in
the Protocol field of the packet header is unrecognized by this device.
no buffer
This information is used by Brocade customer support.
other errors
The number of packets that this device dropped due to error types
other than the types listed above.
The display contains additional sections of statistics. However, the additional statistics apply to Layer 4 – 7
switching, not to IP forwarding.
Clearing IP Traffic Statistics
To clear the IP traffic statistics displayed by the show ip traffic command, enter the following command:
ServerIron# clear ip traffic
Syntax: clear ip traffic
IP Interfaces and Multinetting
Beginning with Release 8.0.00, the ServerIron Chassis devices support Layer 3 features, including the following:
•
Multiple IP interfaces in the same or different sub-nets
•
Support for multiple sub-net addresses on the same physical port or a single sub-net address on multiple
physical ports
•
Route-only support
NOTE: When switch trunk is configured and the servers are all remote servers 1 hop away from the ServerIron,
Layer 3 switch trunking does not work. The ServerIron does not perform load balancing on the trunk ports. The
expected behavior is trunking should be based on destination IP only.
The Layer 3 features include support for configuring multiple IP interfaces in the same or different IP sub-nets on
the ServerIron.
•
Without Layer 3 – When you use the ServerIron as a Layer 2 and Layer 4 – 7 switch, you can configure one IP
interface on the device. The address is used as the management interface for the device. To multi-net the
device, you must configure source IP addresses for the sub-nets that are in addition to the sub-net containing
the device’s management IP address.
•
With Layer 3 – When you use the ServerIron as a Layer 2/3 and Layer 4 – 7 switch, you can configure
separate IP sub-net interfaces on individual ports. In addition, you can associate the same sub-net interface
with all the ports in a port-based VLAN by configuring a virtual routing interface on the VLAN, then assigning
an IP address to the virtual routing interface.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 31
ServerIron Switching and Routing Guide
If you configure an IP address on an individual port, you can configure Layer 3 interface parameters on that port.
If you configure a virtual routing interface, you can configure Layer 3 interface parameters only on the virtual
routing interface. This also applies to security features such as SYN-Guard and SYN-Defense.
The source-nat Parameter
Some configurations require use of the source-nat parameter. This parameter changes the source IP address in a
packet from a client to a server. When the ServerIron and server are in different sub-nets, this parameter ensures
that the client’s request appears to the real server to have come from the ServerIron, and ensures that the server
reply goes back through the ServerIron.
In software release 07.2.x, use of this parameter also requires that you use the server source-ip or source-ip
command to configure an IP interface in the same sub-net as the server. In TrafficWorks 8.0, you do not need
these commands. Instead, use the ip address command to configure an IP interface that is in the same sub-net
as the server. Configure the interface on one of the following:
•
The physical port connected to the server
•
The virtual routing interface associated with the port-based VLAN that contains the port connected to the
server
Disabling Layer 2 Switching
By default, ServerIron Chassis devices support Layer 2 switching. In Release 08.1.00R and later, if you want to
disable Layer 2 switching, you can do so globally or on individual ports with the route-only command. This
command is supported only on an interface facing a real server.
As a best practice, Brocade recommends you do not put route-only on the interfaces where servers are
connected.
Configuring a Decnet Protocol VLAN
All ports will by default be assigned to the VLAN when initially created. VLAN Membership can be modified using
the dynamic, static, or exclude commands.
To create a Decnet protocol VLAN on the ServerIron, enter commands such as the following:
ServerIron(config)# decnet-proto
ServerIron(config-decnet-proto)# static e 1/15 to 1/16
ServerIron(config-decnet-proto)# exclude e 1/1 to 1/14 e 1/18
This example creates a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as a
dynamic member port (on module 1).
Syntax: [no] decnet-proto
Configuring an IP Interface
In Router (R) images, use the ip address command to configure an IP interface for use with IP forwarding. You
must configure the IP interface on a virtual routing interface. You cannot configure the interface on a physical port.
See router-interface.
To add an IP interface, enter commands such as the following:
ServerIron(config)# interface ve 1
ServerIron(config-vif-1)# ip address 10.10.10.1 255.255.255.0
The interface ve 1 command changes the CLI to the configuration level for virtual routing interface 1. The ip
address command adds an IP interface.
Syntax: [no] ip address | nat-address | standby-address <ip-addr> <ip-mask> I <ip-addr>/<mask-bits>
2 - 32
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
This command applies only to Layer 3 IP interfaces for use with IP forwarding.
The address | nat-address | standby-address parameter identifies the type of IP interface you are adding.
•
The address parameter adds a standard IP interface. This option is applicable in most cases.
•
The nat-address parameter applies to active-standby configurations. This parameter configures a shared IP
interface for use with SLB source NAT. Enter the same command with the same IP address on each of the
ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the ServerIron
that is currently active) at a time.
NOTE: SLB source NAT is different from standard Network Address Translation (NAT).
•
The standby-address parameter applies to active-standby configurations and allows both ServerIrons to
share the same router interface. One of the ServerIrons actively supports the interface while the other
ServerIron provides failover for the interface if the first ServerIron becomes unavailable. Real servers can use
the shared interface as their default gateway. Enter the same command with the same IP address on each of
the ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the
ServerIron that is currently active) at a time.
The <ip-addr> parameter specifies the IP address.
The <ip-mask> parameter specifies a class-based (or “Classical”) IP sub-net mask.
The <mask-bits> parameter specifies the number of significant bits in a Classless Interdomain Routing (CIDR)
sub-net mask.
You can use either format to configure the interface. For example, both the following commands are valid and
produce the same result:
•
ip address 10.10.10.1 255.255.255.0
•
ip address 10.10.10.1/24
Configuring an IP Filter
You can use IP filters (or ACLs) to selectively control SLB and TCS traffic. The filters or ACLs can match on
source and destination IP address, network mask, and TCP/UDP port information.
All filters and ACLs are dynamic; they take place immediately for new connections and do not require a reboot of
the ServerIron. New filters or ACLs do not affect existing connections.
Each filter or ACL provides one of the following actions:
•
•
Permit
•
For SLB, permits access to a virtual server (identified by VIP) or to a specific TCP/UDP port on the virtual
server.
•
For TCS, permits redirection of a client request to a cache server.
Deny
•
For SLB, denies access to a virtual server (identified by VIP) or to a specific TCP/UDP port on the virtual
server. The packet is dropped.
•
For TCS, denies access to the cache server and instead sends the request out to the Internet. The
packet is not dropped.
By default, no filters or ACLs are configured on the ServerIron. All packets are implicitly permitted. However, as
soon as you add a filter or ACL, all packets that do not match the filter or ACL are implicitly denied. This behavior
ensures tighter control in filtered environments. To change this behavior so that all packets that do not match a
filter are permitted instead of denied, configure the last filter (1024) or ACL to permit any traffic.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 33
ServerIron Switching and Routing Guide
NOTE: To filter on Layer 2 traffic, you can configure Layer 2 MAC filters. See “MAC Filters” on page 2-14.
To set up IP filters to explicitly permit or deny access to specific TCP/UDP ports, use the ip filter command. When
you configure this type of filter, you specify the virtual IP address (VIP) as the destination address for the filter, not
the real server’s IP address.
Syntax: [no] ip filter <filter-id> permit | deny <src-ip-addr> | any <src-mask> | any <dst-ip-addr> | any <dst-mask>
| any <protocol> [<established> <operator> <port range>]
The items in brackets apply to TCP only.
SLB Example
Figure 2.3 shows an example of how you can use an IP filter in SLB. In this example, the administrator wants to
block a specific client’s access to the FTP service on a VIP but permit access to the other services.
Figure 2.3
IP filter used to block client access to a TCP/UDP port
Client A
209.157.22.26
Internet
Remote Access
Server (RAS)
Local Real Web Server 1,
IP address 10.2.1.5
Border Access
Router (BAR)
HTTP, Telnet, and FTP services
SI
An IP filter blocks
Client A from accessing
FTP on the real servers,
but allows Client A to
access other services.
The filter is applied to
the VIP, 192.101.10.1.
The filter is not applied
to the real server’s
IP address.
Local Real Web Server 2,
IP address 10.2.2.200
HTTP, Telnet, and FTP services
To configure an IP filter to block 209.157.22.26 from accessing FTP on 192.101.10.1:
ServerIron(config)#ip filter 1 deny 209.157.22.26 255.255.255.0 192.101.10.1
255.255.255.0 tcp eq ftp
You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use IP access policies.
TCS Uses of Filters
You can use filters in TCS to control the following:
•
Whether a specific request is sent to a cache server or forwarded to the Internet
•
Whether content from specific sites is cached. You can even use policy-based cache switching to determine
which cache servers receive content from specific sites.
NOTE: TCS filters never drop packets. Accept filters send packets to a cache server. Deny filters send packets
to the Internet.
If you do not define any filters, the default action is permit. For TCS, the default action redirects all traffic to cache
servers. However, when you define a filter, the ServerIron changes the default action to deny to ensure tighter
control. If you still want the default action to be permit, you can define the last filter (1024) to permit all traffic.
2 - 34
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Filters apply only to new connections. New filters do not affect existing connections.
You can turn off web caching for a certain range of source or destination addresses to allow filtering on an address
basis using IP filters.
Policy-Based Cache Switching
The ServerIron TCS software allows you to configure IP filters to selectively cache or not cache content from
specific web sites on specific cache servers. For example, suppose some of your cache servers come
preconfigured with specific web pages and you want all updates to those pages to go only to the preconfigured
caches. In this case, you can use policy-based cache switching along with IP filters to configure the ServerIron to
send the content only to the specified cache servers.
You also can configure IP filters to prevent specific web sites from being cached on specific cache servers or all
cache servers.
See “Policy-Based Caching” on page 15-37 for more information about this feature.
Setting the TTL
To set the maximum time that a packet will live on the network, enter the following command:
ServerIron(config)#ip ttl 25
Syntax: [no] ip ttl <hops>
<hops> is from 1 to 255. The default is 64.
Configuring an IP Protocol VLAN
When creating an IP protocol VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IP protocol VLAN. VLAN port membership must be assigned
using the static command, as shown in the example below. Because no dynamic port assignment is made for IP
Protocol VLANs on a router, there is no need to exclude any ports, only specify membership with the static
command.
An IP protocol and IP sub-net VLAN cannot operate simultaneously on a Brocade switch or router. This restriction
is also true for IPX and IPX network VLANs. If you have previously defined an IP sub-net VLAN on the system,
you need to delete it before an IP protocol VLAN can be created.
To assign ports 1, 2, 6 and 8 to an IP protocol VLAN, enter the following commands:
ServerIron(config)#ip-proto
ServerIron(config-ip-proto)#static e1 to 2 e6 e8
Syntax: [no] ip-proto
Configuring an IP Subnet Protocol VLAN
An IP sub-net protocol VLAN on a switch or router allows you to provide additional granularity than that of an IP
protocol VLAN, by allowing broadcast domains to be partitioned by sub-net. As with the IP protocol VLAN, port
membership can be modified using the static commands. In creating an IP sub-net VLAN, an IP address is used
as an identifier.
When creating an IP sub-net VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IP sub-net VLAN. VLAN port membership must be assigned
using the static command, as shown in the example below. Because no dynamic port assignment is made for IP
sub-net VLANs on a router, there is no need to exclude any ports, only specify membership with the static
command.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 35
ServerIron Switching and Routing Guide
NOTE: An IP Protocol and IP sub-net VLAN cannot operate simultaneously on a Brocade switch or router. This
restriction is also true for IPX and IPX network VLANs. If you have previously defined an IP protocol VLAN on the
system, you need to delete it before an IP sub-net VLAN can be created.
To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2, enter the following
commands:
BigIron(config)#ip-subnet 192.75.3.0 255.255.255.0
BigIron(config-ip-subnet)#static e1 to 2
BigIron(config-ip-subnet)#exit
Syntax: [no] ip-subnet <ip-addr> <ip-mask>
RIP
The ServerIron supports the following RIP versions:
•
Version 1
•
V1 compatible with V2
•
Version 2 (the default)
You can configure the following parameters:
•
•
Global parameters:
•
Administrative distance
•
Redistribution
•
Update interval
•
Learning of default route
•
Advertising and learning with specific neighbors
Interface parameters:
•
RIP version
•
Metric
•
Learning of default route
•
Split horizon
•
Poison reverse
•
Advertising and learning of specific routes
For comprehensive information about the RIP features and how to configure them, see the "Configuring RIP"
chapter in the Foundry Enterprise Configuration and Management Guide.
Enabling RIP
RIP is disabled by default. If you want the ServerIron to use RIP you must enable the protocol globally, then
enable RIP on the virtual routing interface and specify the version (version 1 only, version 2 only, or version 1
compatible with version 2).
To globally start the RIP process, enter the following command:
ServerIron(config)#router rip
Syntax: [no] router rip
To enable RIP on the virtual routing interface and specify the RIP version, enter the following commands:
2 - 36
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
ServerIron(config-rip-router)#interface ve 1
ServerIron(config-vif-1)#ip rip v1-only
Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only
RIP Timers
ServerIron Release 10.2.00 enhances the current functionality by providing support for RIP timers, such as
update, aging, and garbage collection.
To configure RIP timers, use commands such as the following:
ServerIron(config) router rip
ServerIron (config-rip)# timers-basic 5 15 15
Syntax: [no] timers-basic <update-timer> <aging-timeout-interval> <garbage-collection-timer>
•
The <update-timer> specifies how often RIP update messages are sent. You can specify from 1 - 1,000
seconds. The default is 30 seconds.
•
The <aging-timeout-interval> specifies how long the Brocade device waits for a route update before declaring
a route invalid. The value specified for the <aging-timeout-interval> should be at least three times the value
specified for the <update-timer>. The <aging-timeout-interval> can be from 3 - 3,000 seconds. The default is
180 seconds.
The <garbage-collection-timer> specifies how long the Brocade device waits for a route update before removing
the route from the RIP route table. The value specified for the <garbage-collection-timer> should be at least three
times the value specified for the <update-timer>. The <garbage-collection-timer> can be from 3 - 3,000 seconds.
The default is 120 seconds.
Redistributing IP Static Routes into RIP
By default, the software does not redistribute the IP static routes in the route table into RIP. To configure
redistribution, perform the following tasks:
•
Configure redistribution filters (optional). You can configure filters to permit or deny redistribution for a route
based on the route’s metric. You also can configure a filter to change the metric. You can configure up to 64
redistribution filters. The software uses the filters in ascending numerical order and immediately takes the
action specified by the filter. Thus, if filter 1 denies redistribution of a given route, the software does not
redistribute the route, regardless of whether a filter with a higher ID permits redistribution of that route.
NOTE: The default redistribution action is permit, even after you configure and apply a permit or deny filter.
To deny redistribution of specific routes, you must configure a deny filter.
NOTE: The option to set the metric is not applicable to static routes.
•
Enable redistribution.
NOTE: If you plan to configure redistribution filters, do not enable redistribution until you have configured the
filters.
When you enable redistribution, all IP static routes are redistributed by default. If you want to deny certain routes
from being redistributed into RIP, configure deny filters for those routes before you enable redistribution. You can
configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.
NOTE: The default redistribution action is still permit, even after you configure and apply redistribution filters to
the virtual routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last
filter (filter ID 64), then apply filters with lower filter IDs to allow specific routes.
To configure a redistribution filter, enter a command such as the following:
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 37
ServerIron Switching and Routing Guide
ServerIron(config-rip-router)# deny redistribute 1 static address 207.92.0.0
255.255.0.0
This command denies redistribution of all 207.92.x.x IP static routes.
Syntax: [no] permit | deny redistribute <filter-num> static address <ip-addr> <ip-mask>
[match-metric <value> | set-metric <value>]
The <filter-num> specifies the redistribution filter ID. Specify a number from 1 – 64. The software uses the filters
in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not
redistribute that route even if a filter with a higher ID permits redistribution of the route.
The address <ip-addr> <ip-mask> parameters apply redistribution to the specified network and sub-net address.
Use 0 to specify “any”. For example, “207.92.0.0 255.255.0.0“ means “any 207.92.x.x sub-net”. However, to
specify any sub-net (all sub-nets match the filter), enter “address 255.255.255.255 255.255.255.255”.
The match-metric <value> parameter applies redistribution to those routes with a specific metric value; possible
values are from 1 – 15.
The set-metric <value> parameter sets the RIP metric value that will be applied to the routes imported into RIP.
NOTE: The set-metric parameter does not apply to static routes.
The following command denies redistribution of a 207.92.x.x IP static route only if the route’s metric is 5.
ServerIron(config-rip-router)# deny redistribute 2 static address 207.92.0.0
255.255.0.0 match-metric 5
The following commands deny redistribution of all routes except routes for 10.10.10.x and 20.20.20.x:
ServerIron(config-rip-router)# deny redistribute 64 static address 255.255.255.255
255.255.255.255
ServerIron(config-rip-router)# permit redistribute 1 static address 10.10.10.0
255.255.255.0
ServerIron(config-rip-router)# permit redistribute 2 static address 20.20.20.0
255.255.255.0
Enabling Redistribution
After you configure redistribution parameters, you need to enable redistribution, by entering the following
command:
ServerIron(config-rip-router)#redistribution
Syntax: redistribution
Denying Redistribution
You can configure a redistribution filter to deny redistribution for specific routes. By default, all routes are permitted
to be redistributed
When you enable redistribution, all IP static routes are redistributed by default. If you want to deny certain routes
from being redistributed into RIP, configure deny filters for those routes before you enable redistribution. You can
configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.
The default redistribution action is still permit, even after you configure and apply redistribution filters to the virtual
routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last filter (filter ID
64), then apply filters with lower filter IDs to allow specific routes.
To configure a redistribution filter, enter the following command:
ServerIron(config-rip-router)# deny redistribute 1 static address 207.92.0.0
255.255.0.0
This command denies redistribution of all 207.92.x.x IP static routes.
The following command denies redistribution of a 207.92.x.x IP static route only if the route’s metric is 5.
2 - 38
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
ServerIron(config-rip-router)# deny redistribute 2 static address 207.92.0.0
255.255.0.0 match-metric 5
The following commands deny redistribution of all routes except routes for 10.10.10.x and 20.20.20.x:
ServerIron(config-rip-router)# deny redistribute 64 static address 255.255.255.255
255.255.255.255
ServerIron(config-rip-router)# permit redistribute 1 static address 10.10.10.0
255.255.255.0
ServerIron(config-rip-router)# permit redistribute 2 static address 20.20.20.0
255.255.255.0
Syntax: [no] deny redistribute <filter-num> static address <ip-addr> <ip-mask>
[match-metric <value> | set-metric <value>]
The <filter-num> specifies the redistribution filter ID. Specify a number from 1 – 64. The software uses the filters
in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not
redistribute that route even if a filter with a higher ID permits redistribution of the route.
The address <ip-addr> <ip-mask> parameters apply redistribution to the specified network and sub-net address.
Use 0 to specify “any”. For example, “207.92.0.0 255.255.0.0“ means “any 207.92.x.x sub-net”. However, to
specify any sub-net (all sub-nets match the filter), enter “address 255.255.255.255 255.255.255.255”.
The match-metric <value> parameter applies redistribution to those routes with a specific metric value; possible
values are from 1 – 15.
The set-metric <value> parameter sets the RIP metric value that will be applied to the routes imported into RIP.
NOTE: The set-metric parameter does not apply to static routes.
Permitting Redistribution
You can configure a redistribution filter to permit redistribution for specific routes. When you enable redistribution,
all IP static routes are redistributed by default. If you want to permit certain routes to be redistributed into RIP,
configure permit filters for those routes before you enable redistribution.
The default redistribution action is permit, even after you configure and apply redistribution filters to the virtual
routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last filter (filter ID
64), then apply filters with lower filter IDs to allow specific routes.
To configure a redistribution filter, enter the following command:
ServerIron(config-rip-router)# permit redistribute 1 static address 207.92.0.0
255.255.0.0
This command permits redistribution of all 207.92.x.x IP static routes.
Syntax: permit redistribute
You can configure up to 64 RIP redistribution filters. They are applied in ascending numerical order. All routes are
permitted to be redistributed.
Syntax: [no] permit redistribute <filter-num> static address <ip-addr> <ip-mask> [match-metric <value> | setmetric <value>]
The <filter-num> specifies the redistribution filter ID. Specify a number from 1 – 64. The software uses the filters
in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not
redistribute that route even if a filter with a higher ID permits redistribution of the route.
The address <ip-addr> <ip-mask> parameters apply redistribution to the specified network and sub-net address.
Use 0 to specify “any”. For example, “207.92.0.0 255.255.0.0“ means “any 207.92.x.x sub-net”. However, to
specify any sub-net (all sub-nets match the filter), enter “address 255.255.255.255 255.255.255.255”.
The match-metric <value> parameter applies redistribution to those routes with a specific metric value; possible
values are from 1 – 15.
The set-metric <value> parameter sets the RIP metric value that will be applied to the routes imported into RIP.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 39
ServerIron Switching and Routing Guide
NOTE: The set-metric parameter does not apply to static routes.
Learning RIP Default Routes
By default, the software does not learn RIP default routes. To enable learning of RIP default routes, enter the
following commands:
ServerIron(config)#interface ve 1
ServerIron(config-vif-1)#ip rip learn-default
Syntax: [no] ip rip learn-default
Enabling Poison Reverse or Split Horizon
RIP can use the following methods to prevent routing loops:
•
Split horizon – The ServerIron does not advertise a route on the same interface as the one on which the
ServerIron learned the route.
•
Poison reverse – The ServerIron assigns a cost of 16 (“infinite” or “unreachable”) to a route before advertising
it on the same interface as the one on which the ServerIron learned the route. This is the default.
These methods are in addition to RIP’s maximum valid route cost of 15.
To enable split horizon, enter the following commands:
ServerIron(config)#interface ve 1
ServerIron(config-vif-1)#no ip rip poison-reverse
Syntax: [no] ip rip poison-reverse
OSPF
The ServerIron supports OSPF RFC 1583 by default. Optionally, you can enable support for RFC 2178.
You can configure the following OSPF parameters:
•
2 - 40
Global parameters:
•
Areas (standard, backbone, stub, and NSSA)
•
Area ranges
•
Virtual links
•
Default metric
•
Reference bandwidth for the default cost of OSPF interfaces
•
Route path load sharing
•
Default route origination
•
Shortest Path First (SPF) timers
•
External route summarization
•
Redistribution
•
Redistribution metric type
•
LSA pacing interval
•
OSPF traps
•
Database overflow interval
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
•
Interface parameters:
•
Area membership
•
Authentication (simple password or MD5)
•
Link cost
•
Interface priority
•
Retransmit interval, transit delay, and dead interval
For information about the OSPF features and how to configure them, see the "Configuring OSPF" chapter in the
Foundry Enterprise Configuration and Management Guide.
Dynamic Link Aggregation
The software supports the IEEE 802.3ad standard for link aggregation. This standard describes the Link
Aggregation Control Protocol (LACP), a mechanism for allowing ports on both sides of a redundant link to
configure themselves into a trunk link (aggregate link), without the need for manual configuration of the ports into
trunk groups.
When you enable link aggregation on a group of Brocade ports, the Brocade ports can negotiate with the ports at
the remote ends of the links to establish trunk groups.
Configuration Rules
•
Use the link aggregation feature only if the device at the other end of the links you want to aggregate also
supports IEEE 802.3ad link aggregation. Otherwise, you need to manually configure the trunk links.
•
You cannot use 802.3ad link aggregation on a port configured as a member of a static trunk group.
•
Link aggregation support is disabled by default. You can enable the feature on an individual port basis, in
active or passive mode.
•
Brocade recommends that you disable or remove the cables from the ports you plan to enable for dynamic
link aggregation. Doing so prevents the possibility that LACP will use a partial configuration to talk to the
other side of a link. A partial configuration does not cause errors, but does sometimes require LACP to be
disabled and re-enabled on both sides of the link to ensure that a full configuration is used. It's easier to
disable a port or remove its cable first. This applies both for active link aggregation and passive link
aggregation.
•
Active mode – When you enable a port for active link aggregation, the Brocade port can exchange standard
LACP Protocol Data Unit (LACPDU) messages to negotiate trunk group configuration with the port on the
other side of the link. In addition, the Brocade port actively sends LACPDU messages on the link to search
for a link aggregation partner at the other end of the link, and can initiate an LACPDU exchange to negotiate
link aggregation parameters with an appropriately configured remote port.
•
Passive mode – When you enable a port for passive link aggregation, the Brocade port can exchange
LACPDU messages with the port at the remote end of the link, but the Brocade port cannot search for a link
aggregation port or initiate negotiation of an aggregate link. Thus, the port at the remote end of the link must
initiate the LACPDU exchange.
•
When the feature dynamically adds or changes a trunk group, the show trunk command displays the trunk
as both configured and active. However, the show running-config or write terminal command does not
contain a trunk command defining the new or changed trunk group.
•
If link aggregation places a port into a trunk group as a secondary port, all configuration information except
information related to link aggregation is removed from the port. For example, if port 1/3 has an IP interface,
and the link aggregation feature port 1/3 into a trunk group consisting of ports 1/1 – 1/4, the IP interface is
removed from the port.
•
If you use this feature on a system running Router code that is running OSPF or BGP4, the feature causes
these protocols to reset when a dynamic link change occurs. The reset includes ending and restarting
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 41
ServerIron Switching and Routing Guide
neighbor sessions with OSPF and BGP4 peers, and clearing and relearning dynamic route entries and
forwarding cache entries. Although the reset causes a brief interruption, the protocols automatically resume
normal operation.
•
If a device changes the number of ports in an active aggregate link, the Brocade device on the other end of
the link tears down the link. Once the other device recovers, 802.3 can renegotiate the link without a
mismatch.
•
You can configure one or more parameters on the same command line, and you can enter the parameters in
any order.
Valid Aggregate Links
Figure 2.4 on page 2-43 shows some examples of valid aggregate links.
2 - 42
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Figure 2.4
Examples of valid aggregate links
Ports enabled for link
aggregation follow the same rules
as ports configured for trunk groups.
Port 1/1
Port 1/2
Port 1/3
Port 1/4
Port 1/5
Port 1/6
Port 1/7
Port 1/8
Port 1/1
Port 1/2
Port 1/3
Port 1/4
Port 1/5
Port 1/6
ed for link
n follow the same rules
onfigured for trunk groups.
Port 1/7
Port 1/8
Port 1/1
Port 1/2
Port 1/3
Port 1/1
Port 1/4
Port 1/2
Port 1/5
Port 1/3
Port 1/6
Port 1/7
Port 1/8
Port 1/4
Port 1/5
Port 1/6
Port 1/7
Port 1/8
In this example, assume that link aggregation is enabled on all of the links between the Brocade device on the left
and the device on the right (which can be either a Brocade device or another vendor’s device). Notice that some
ports are not able to join an aggregate link even though link aggregation is enabled on them. The ports that are
not members of aggregate links in this example are not following the configuration rules for trunk links on Brocade
devices.
The Brocade rules apply to a Brocade device even if the device at the other end is from another vendor and uses
different rules.
The link aggregation feature automates trunk configuration but can coexist with Brocade’s trunk group feature.
Link aggregation parameters do not interfere with trunk group parameters.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 43
ServerIron Switching and Routing Guide
Flexible Trunk Eligibility
Flexible Trunk Eligibility increases the tolerance for down ports during link negotiation. In a valid trunk
configuration (2-port, 4-port, or 8-port trunk starting on a valid primary port number) the device groups the device's
ports into 2-port groups consisting of an odd-numbered port and the next even-numbered port. For example,
ports 1/1 and 1/2 are a two-port group, as are ports 1/3 and 1/4, 9/1 and 9/10, and do on. If either of the ports in a
two-port group is up, the device considers both ports to be eligible to be in an aggregate link.
Figure 2.5 shows an example of 2-port groups in a range of eight ports on which link aggregation is enabled.
Based on the states of the ports, some or all of them will be eligible to be used in an aggregate link.
Figure 2.5
Two-port groups used to determine aggregation eligibility
Port 1/1
Group 1
Port 1/2
Port 1/3
Group 2
Port 1/4
Port 1/5
Group 3
Port 1/6
Port 1/7
Group 4
Port 1/8
2 - 44
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Table 2.7 shows examples of the ports from Figure 2.5 that will be eligible for an aggregate link based on individual
port states.
Table 2.7:
Link
State
Port Eligibility for Link Aggregation
Port Group 1
Port Group 2
Port Group 3
Port Group 4
Trunk
Eligibility
1/1
1/2
1/3
1/4
1/5
1/6
1/7
1/8
Up
Up
Up
Up
Up
Up
Up
Up
8-port
1/1 – 1/8
Up
Up
Up
Up
Up
Down
Up
Up
8-port
1/1 – 1/8
Up
Up
Up
Up
Up
Down
Up
Down
8-port
1/1 – 1/8
Up
Up
Up
Up
Down
Down
Down
Up
4-port
1/1 – 1/4
Down
Down
Down
Up
Up
Up
Up
Up
4-port
1/5 – 1/8
Up
Down
Down
Down
Up
Down
Down
Down
2-port
1/1 – 1/2
As shown in these examples, all or a subset of the ports within a port range will be eligible for formation into an
aggregate link based on port states. Notice that the sets of ports that are eligible for the aggregate link must be
valid static trunk configurations. For example, a 4-port link consisting of ports 1/4 – 1/7 is not valid because this
port configuration is not valid for static trunk groups on the Brocade device.
Enabling Link Aggregation
By default, link aggregation is disabled on all ports.
NOTE: Configuration commands for link aggregation differ depending on whether you are using the default link
aggregation key automatically assigned by the software, or if you are assigning a different, unique key or if you are
assigning a key on a port on which link aggregation is already enabled. Follow the apropriate commands below.
Enabling Link Aggregation and Using the Default Key
Use this command to enable link aggregation on ports on which link aggregation has not been enabled if you want
the software to assign a link aggregation key.
ServerIron(config)# interface ethernet 1/1
ServerIron(config-if-e1000-1/1)# link-aggregate active
ServerIron(config)# interface ethernet 1/2
ServerIron(config-if-e1000-1/2)# link-aggregate active
Syntax: [no] link-aggregate active | passive | off
Note that these ports will use the default key, since one has not been explicitly configured. Also, the commands in
this example enable the active mode of link aggregation on ports 1/1 and 1/2. The ports can send and receive
LACPDU messages.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 45
ServerIron Switching and Routing Guide
Assigning a Unique Key and Enabling Link Aggregation
Use this command sequence to assign a link aggregation key on ports that do not have link aggregation enabled,
and for all other link aggregation parameters (i.e., system priority, port priority, and link type).
ServerIron(config)# interface ethernet 1/1
ServerIron(config-if-e1000-1/1)# link-aggregate
ServerIron(config-if-e1000-1/1)# link-aggregate
ServerIron(config)# interface ethernet 1/2
ServerIron(config-if-e1000-1/2)# link-aggregate
ServerIron(config-if-e1000-1/2)# link-aggregate
configure key 10000
active
configure key 10000
active
The commands in this example assign the key 10000 and enable the active mode of link aggregation on ports 1/1
and 1/2. The ports can send and receive LACPDU messages.
NOTE: As shown in this example, when configuring a key, it is pertinent that you assign the key prior to enabling
link aggregation.
The following commands enable passive link aggregation on ports 1/5 – 1/8:
ServerIron(config)# interface ethernet 1/5 to 1/8
ServerIron(config-mif-1/5-1/8)# link-aggregate passive
The commands in this example enable the passive mode of link aggregation on ports 1/5 – 1/8. These ports wait
for the other end of the link to contact them. After this occurs, the ports can send and receive LACPDU messages.
To disable link aggregation on a port, enter a command such as the following:
ServerIron(config-if-e1000-1/8)# link-aggregate off
Syntax: [no] link-aggregate active | passive | off
Syntax: [no] link-aggregate configure [system-priority <num>] | [port-priority <num>] | [key <num>] |
[type server | switch]
See “Link Aggregation Parameters” on page 2-47 for details on the parameters in the command.
Configuring Keys For Ports with Link Aggregation Enabled
NOTE: As shown in this command sequence, to change the key on ports that already have link aggregation
enabled, you must first turn OFF link aggregation, configure the new key, then re-enable link aggregation.
ServerIron(config)# interface ethernet 1/1 to 1/4
ServerIron(config-mif-1/1-1/4)# link-aggregate off
ServerIron(config-mif-1/1-1/4)# link-aggregate configure key 10000
ServerIron(config-mif-1/1-1/4)# link-aggregate active
ServerIron(config-mif-1/1-1/4)# interface ethernet 3/5 to 3/8
ServerIron(config-mif-3/5-3/8)# link-aggregate off
ServerIron(config-mif-3/5-3/8)# link-aggregate configure key 10000
ServerIron(config-mif-3/5-3/8)# link-aggregate active
These commands change the key for ports 1/1 – 1/4 and 3/5 – 3/8 to 10000. Since all ports in an aggregate link
must have the same key, the command in this example enables ports 1/1 – 1/4 and 3/5 – 3/8 to form a multi-slot
aggregate link.
Syntax: [no] link-aggregate active | passive | off
Syntax: [no] link-aggregate configure [system-priority <num>] | [port-priority <num>] | [key <num>] |
[type server | switch]
See “Link Aggregation Parameters” on page 2-47 for details on the parameters in the command.
2 - 46
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Link Aggregation Parameters
You can change the settings for the following link aggregation parameters, on an individual port basis:
System Priority
The system-priority <num> parameter specifies the Brocade device’s link aggregation priority. On links on which
link aggregation is enabled, system priority specifies the Brocade device’s link aggregation priority relative to the
devices at the other ends. A higher value indicates a lower priority. You can specify a priority from 0 – 65535. The
default is 1.
NOTE: If you are connecting the Brocade device to another vendor’s device and the link aggregation feature is
not working, set the system priority on the Brocade device to a lower priority (a higher priority value). In some
cases, this change allows the link aggregation feature to operate successfully between the two devices.
Port Priority
The port-priority <num> parameter determines the active and standby links. When a group of ports is
negotiating with a group of ports on another device to establish a trunk group, the Brocade port with the highest
priority becomes the default active port. The other ports (with lower priorities) become standby ports in the trunk
group. You can specify a priority from 0 – 65535. A higher value indicates a lower priority. The default is 1.
NOTE: This parameter is not supported in the current software release. The primary port in the port group
becomes the default active port. The primary port is the lowest-numbered port in a valid trunk-port group.
Link Type
The type server | switch parameter specifies whether the port group is connected to a server (server) or to
another networking device (switch). The default is switch.
NOTE: When you change the trunk hashing from server to switch, or switch to server, you must disable or
enable the trunk.
For static trunk, execute the trunk deploy command after changing the hashing type.
For dynamic trunk (LACP), first execute the no link-aggr active command on trunk ports, change the hashing
type, and then execute the link-aggregation active command.
Key
Every port that is 802.3ad-enabled has a key. The key <num> parameter identifies the group of ports that are
eligible to be aggregated into a trunk group. Ports with the same key are called a key group and are eligible to be
in the same trunk group.
When you enable link aggregation on a tagged or untagged port, Brocade’s software assigns a default key to the
port. The default key is based on the position of the port within an eight-port group (the maximum number of ports
in a trunk group on a Layer 3 Switch). The software assigns the keys in ascending numerical order, beginning with
key 0 for the first group of eight ports. For example, a 24-port module in chassis slot 1 contains keys 0, 1, and 2 by
default. Ports 1/1 – 1/8 have key 0, ports 1/9 – 1/16 have key 1, and so on.
All ports within an aggregate link must have the same key. However, if the device has ports that are connected to
two different devices, and the port groups allow the ports to form into separate aggregate links with the two
devices, then each group of ports can have the same key while belonging to separate aggregate links with
different devices.
NOTE: If you change the key for a port group, Brocade recommends that you use the value 10000 or higher, to
avoid potential conflicts with dynamically created keys.
Figure 2.6 on page 2-48 shows an example of ports with the same key but are in different aggregate links.
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 47
ServerIron Switching and Routing Guide
Figure 2.6
Ports with the same key in different aggregate links
Port 1/1
Port 1/2
All these ports have
the same key, but are
in two separate
aggregate links with
two other devices.
Port 1/3
System ID: dddd.eeee.ffff
Ports 1/5 - 1/8: Key 4
Port 1/4
Port 1/5
Port 1/6
Port 1/7
Port 1/8
System ID: aaaa.bbbb.cccc
Ports 1/1 - 1/8: Key 0
System ID: 1111.2222.3333
Ports 1/5 - 1/8: Key 69
Notice that the keys between one device and another do not need to match. The only requirement for key
matching is that all the ports within an aggregate link on a given device must have the same key.
Devices that support multi-slot trunk groups can form multi-slot aggregate links using link aggregation. However,
the link aggregation keys for the groups of ports on each module must match. For example, if you want to allow
link aggregation to form an aggregate link containing ports 1/1 – 1/4 and 3/5 – 3/8, you must change the link
aggregation key on one or both groups of ports so that the key is the same on all eight ports. Figure 2.7 on
page 2-49 shows an example.
2 - 48
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Figure 2.7
Multi-slot aggregate link
All ports in a multi-slot
aggregate link have
the same key.
Port 1/1
Port 1/2
Port 1/3
Port 1/4
Port 3/5
Port 3/6
Port 3/7
Port 3/8
System ID: aaaa.bbbb.cccc
Ports 1/1 - 1/4: Key 0
Ports 3/5 - 3/8: Key 0
By default, the device’s ports are divided into 4-port groups. The software dynamically assigns a unique key to
each 4-port group. If you need to divide a 4-port group into two 2-port groups, change the key in one of the groups
so that the two 2-port groups have different keys. For example, if you plan to use ports 1/1 and 1/2 in VLAN 1, and
ports 1/3 and 1/4 in VLAN 2, change the key for ports 1/3 and 1/4.
NOTE: If you change the key for a port group, Brocade recommends that you use the value 10000 or higher, to
avoid potential conflicts with dynamically created keys.
About Blocked Ports
Brocade devices can block traffic on a port or shut down a port that is part of a trunk group or aggregate link for
the following reasons:
•
For the purpose of link aggregation, the ports on Brocade devices are grouped into pairs of two; one oddnumbered port, and the next even-numbered port. When you configure link aggregation on a port (for
instance, on an odd-numbered port), this port will be blocked and unable to join a trunk group until you
configure the adjacent port (the even-numbered port) as part of the aggregate link. When you configure both
ports with link aggregation and assign both ports the same key, both ports are able to join a trunk group.
Once the ports become part of a trunk group, they can transmit and receive LACP packets.
NOTE: Ports that are configured as part of an aggregate link must also have the same key. For more information
about assigning keys, see the “Link Aggregation Parameters” on page 2-47
•
When a port joins a trunk group and the port on the other end of the link shuts down or stops transmitting
LACP packets, the Brocade device blocks the port. Depending on the timeout value set on the port, the link
aggregation information expires.
If either of these events occur, the Brocade device shuts down the port and notifies all the upper layer protocols
that the port is down.
Brocade devices can also block traffic on a port that is initially configured with link aggregation. The port is
blocked until it joins a trunk group. In this case, traffic is blocked, but the port is still operational.
A port remains blocked until one of the following events occur:
•
Link aggregation is enabled on the adjacent port (the paired port) and both ports have the same key
•
LACP brings the port back up
•
The port joins a trunk group
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 49
ServerIron Switching and Routing Guide
Displaying and Determining the Status of Aggregate Links
Use the show link-aggregation command to determine the operational status of ports associated with aggregate
links.
To display the link aggregation information for a specific port, enter a command such as the following at any level
of the CLI:
ServerIron(config-mif-1/1-1/8)# show link-aggregation ethernet 1/1
System ID: 00e0.52a9.bb00
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp] [Ope]
1/1
0
0
0
No
L
No
No
No
No
No
No
Ope
The command in this example shows the link aggregation information for port 1/1.
To display the link aggregation information for all ports on which link aggregation is enabled, enter the following
command at any level of the CLI:
ServerIron(config)# show link-aggregation
System ID: 00e0.52a9.bb00
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope]
1/1
1
1
0
No
L
Agg Syn No
No
Def Exp Ope
1/2
1
1
0
No
L
Agg Syn No
No
Def Exp Ina
1/3
1
1
0
No
L
Agg Syn No
No
Def Exp Ina
1/4
1
1
0
No
L
Agg Syn No
No
Def Exp Blo
1/5
1
1
1
No
L
Agg No
No
No
Def Exp Ope
1/6
1
1
1
No
L
Agg No
No
No
Def Exp Ope
1/7
1
1
1
No
L
Agg No
No
No
Def Exp Dwn
1/8
1
1
1
No
L
Agg No
No
No
Def Exp Dwn
Syntax: show link-aggregation [ethernet <portnum>]
Use ethernet <portnum> to display link-aggregation information for a specific port.
NOTE: Ports that are configured as part of an aggregate link must also have the same key. For more information
about assigning keys, see the section titled ““Link Aggregation Parameters” on page 2-47.
The show link aggregation command shows the following information.
Table 2.8:
CLI Display of Link Aggregation Information
This Field...
Displays...
System ID
Lists the base MAC address of the device. This is also the MAC
address of port 1 (or 1/1).
Port
Lists the port number.
Sys P
Lists the system priority configured for this port.
Port P
Lists the port’s link aggregation priority.
Key
Lists the link aggregation key.
2 - 50
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
Table 2.8:
CLI Display of Link Aggregation Information (Continued)
This Field...
Displays...
Act
Indicates the link aggregation mode, which can be one of the
following:
•
No – The mode is passive or link aggregation is disabled (off) on
the port.
If link aggregation is enabled (and the mode is passive), the port
can send and receive LACPDU messages to participate in
negotiation of an aggregate link initiated by another port, but
cannot search for a link aggregation port or initiate negotiation of
an aggregate link.
•
Tio
Agg
Syn
Col
May 2012
Yes – The mode is active. The port can send and receive
LACPDU messages.
Indicates the timeout value of the port. The timeout value can be one
of the following:
•
L – Long. The trunk group has already been formed and the port
is therefore using a longer message timeout for the LACPDU
messages exchanged with the remote port. Typically, these
messages are used as confirmation of the health of the
aggregate link.
•
S – Short. The port has just started the LACPDU message
exchange process with the port at the other end of the link. The S
timeout value also can mean that the link aggregation information
received from the remote port has expired and the ports are
starting a new information exchange.
Indicates the link aggregation state of the port. The state can be one
of the following:
•
Agg – Link aggregation is enabled on the port.
•
No – Link aggregation is disabled on the port.
Indicates the synchronization state of the port. The state can be one
of the following:
•
No – The port is out of sync with the remote port. The port does
not understand the status of the LACPDU process and is not
prepared to enter a trunk link.
•
Syn – The port is in sync with the remote port. The port
understands the status of the LACPDU message exchange
process, and therefore knows the trunk group to which it belongs,
the link aggregation state of the remote port, and so on.
Indicates the collection state of the port, which determines whether
the port is ready to send traffic over the trunk link.
•
Col – The port is ready to send traffic over the trunk link.
•
No – The port is not ready to send traffic over the trunk link.
© 2012 Brocade Communications Systems, Inc.
2 - 51
ServerIron Switching and Routing Guide
Table 2.8:
CLI Display of Link Aggregation Information (Continued)
This Field...
Displays...
Dis
Indicates the distribution state of the port, which determines whether
the port is ready to receive traffic over the trunk link.
Def
Exp
Ope
•
Dis – The port is ready to receive traffic over the trunk link.
•
No – The port is not ready to receive traffic over the trunk link.
Indicates whether the port is using default link aggregation values.
The port uses default values if it has not received link aggregation
information through LACP from the port at the remote end of the link.
This field can have one of the following values:
•
Def – The port has not received link aggregation values from the
port at the other end of the link and is therefore using its default
link aggregation LACP settings.
•
No – The port has received link aggregation information from the
port at the other end of the link and is using the settings
negotiated with that port.
Indicates whether the negotiated link aggregation settings have
expired. The settings expire if the port does not receive an LACPDU
message from the port at the other end of the link before the message
timer expires. This field can have one of the following values:
•
Exp – The link aggregation settings this port negotiated with the
port at the other end of the link have expired. The port is now
using its default link aggregation settings.
•
No – The link aggregation values that this port negotiated with the
port at the other end of the link have not expired, so the port is
still using the negotiated settings.
•
Ope (operational) - The port is operating normally.
•
Ina (inactive) - The port is inactive because the port on the other
side of the link is down or has stopped transmitting LACP
packets.
•
Blo (blocked) - The port is blocked because the adjacent port is
not configured with link aggregation or because it is not able to
join a trunk group. To unblock the port and bring it to an
operational state, enable link aggregation on the adjacent port
and ensure that the ports have the same key.
NOTE: Use the show trunk command to determine the status of LACP.
Clearing the Negotiated Link Aggregations
When a group of ports negotiates a trunk group configuration, the software stores the negotiated configuration in a
table. You can clear the negotiated link aggregation configurations from the software. When you clear the
information, the software does not remove link aggregation parameter settings you have configured. Only the
configuration information negotiated using LACP is removed.
NOTE: The software automatically updates the link aggregation configuration based on LACPDU messages.
However, clearing the link aggregation information can be useful if you are troubleshooting a configuration.
2 - 52
© 2012 Brocade Communications Systems, Inc.
May 2012
Switching and Routing
To clear the link aggregation information, enter the following command at the Privileged EXEC level of the CLI:
ServerIron# clear link-aggregate
Syntax: clear link-aggregate
May 2012
© 2012 Brocade Communications Systems, Inc.
2 - 53
ServerIron Switching and Routing Guide
2 - 54
© 2012 Brocade Communications Systems, Inc.
May 2012